Re: [webauthn] Explicitly prohibit use of WebAuthn from non-visible cross-origin iframes (#1303) from J.C. Jones via GitHub on 2020-01-08 (public-webauthn@w3.org from January 2020)

From: J.C. Jones via GitHub <sysbot+gh@w3.org>
Date: Wed, 08 Jan 2020 20:51:27 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-572251369-1578516686-sysbot+gh@w3.org>

While we don't have a final decision from the Mozilla-side, @agl's arguments are persuasive about the UA's inability to codify our intent here. The threat modelling exercise for this led to #1336, which I feel is a more important concern to nail down than the concept of visibility for cross-origin frames. I also think user interaction is potentially more important than visibility (#1293). I will see if I can gather the necessary feedback internally to close this issue in the next ~week.

-- 
GitHub Notification of comment by jcjones
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1303#issuecomment-572251369 using your GitHub account

Received on Wednesday, 8 January 2020 20:51:29 UTC