W3C home > Mailing lists > Public > public-webauthn@w3.org > February 2020

Re: [webauthn] Prohibit Create Credential from cross-origin iframes (#1336)

From: J.C. Jones via GitHub <sysbot+gh@w3.org>
Date: Mon, 24 Feb 2020 23:34:06 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-590602937-1582587245-sysbot+gh@w3.org>
Mozilla believes firmly that Create Credential should be prohibited from cross-origin iframes for Level 2 of the specification. 

Once process flows are built around cross-origin creation, we will likely be unable to reconsider this decision without great pain to implementers. As such, there should exist no doubts as to the privacy properties of enabling this capability, yet Mozilla and our community does indeed have such doubts.

It is possible that this might be something we revisit to permit in a future version of the specification, once we have further deployed experience with cross-origin Get Assertion.

-- 
GitHub Notification of comment by jcjones
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1336#issuecomment-590602937 using your GitHub account
Received on Monday, 24 February 2020 23:34:08 UTC

This archive was generated by hypermail 2.4.0 : Thursday, 24 March 2022 20:38:37 UTC