Re: RPID and web origin scope restrictions

On Mon, Feb 3, 2020 at 9:19 PM Shane B Weeden <> wrote:

> Hoping someone who's been involved with WebAuthn spec development longer
> than me can provide some history and describe why the scoping of RPID to
> origin has no cross-origin sharing mechanism (
> For example let's say I want a page served from to be able to make
> calls to navigator.credentials.[get|create] using RPID Current
> WebAuthn scoping rules prohibit this.
> Why couldn't there be a discovery mechanism (conceptually similar to CORS)
> whereby the browser retrieves a well-known discovery document from
> (obviously ensuring server-authentication at transport level) that lists
> as an allowed origin for the purposes of registering or using
> credentials under the RPID?

I.e. U2F FacetID?

There's no fundamental reason why ~FacetID can't be done in WebAuthn,
although the implementation complexity is unfortunate. I believe that, if
you find Dirk in Lisbon this week, he'll agree with you. It is delicate,
however, as all browsers are undergoing significant changes in this space (
and so adding new cross-origin communication has significant headwinds. The
iframe support in Chromium was added to try and serve the needs of payment
providers without adding new mechanisms, so the first step in justifying
something more would be a case that iframes are insufficient. (Perhaps
that's already done; I'm not the person from Chrome who is paying attention
to the payments group.)



Received on Tuesday, 4 February 2020 16:23:17 UTC