Re: [webauthn] Explicitly prohibit use of WebAuthn from non-visible cross-origin iframes (#1303)

While we don't have a final decision from the Mozilla-side, @agl's arguments are persuasive about the UA's inability to codify our intent here. The threat modelling exercise for this led to #1336, which I feel is a more important concern to nail down than the concept of visibility for cross-origin frames. I also think user interaction is potentially more important than visibility (#1293). I will see if I can gather the necessary feedback internally to close this issue in the next ~week.

GitHub Notification of comment by jcjones
Please view or discuss this issue at using your GitHub account

Received on Wednesday, 8 January 2020 20:51:29 UTC