Re: [webauthn] Prohibit Create Credential from cross-origin iframes (#1336)

Mozilla believes firmly that Create Credential should be prohibited from cross-origin iframes for Level 2 of the specification. 

Once process flows are built around cross-origin creation, we will likely be unable to reconsider this decision without great pain to implementers. As such, there should exist no doubts as to the privacy properties of enabling this capability, yet Mozilla and our community does indeed have such doubts.

It is possible that this might be something we revisit to permit in a future version of the specification, once we have further deployed experience with cross-origin Get Assertion.

-- 
GitHub Notification of comment by jcjones
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1336#issuecomment-590602937 using your GitHub account

Received on Monday, 24 February 2020 23:34:08 UTC