Re: [webauthn] Cross-origin credential creation in iframes (#1656)

> I don't think the Authorities responsible for enforcing GDPR "prevent" any proposal; they expect businesses to understand the law and comply with it (and consult with their legal team if they don't understand it). They do, however, act to penalize companies who have violated the law: see https://www.enforcementtracker.com/
> 
> If you sort on the **Fine** column in descending order, you should see some very interesting numbers - the most recent fine was for 746M Euro, levied against Amazon two weeks ago for GDPR violations. The top 9 fines levied were over 10M Euro each with the top 30 fines over a million Euro each.

I understand that GDPR enforcers don't prevent a proposal itself. But you are raising GDPR concerns around the issue of "credential creation from within an iframe", so I am merely asking what is the answer to this question:

If site https://example.com/pay-now is embedded as an iframe in a merchant's site, and wishes to create a credential, solely for example.com's use, how is this legally different from redirecting them to example.com and creating it as a first party, then redirecting back? 

I may not be understanding the concern, but our lawyers are happy with the current approach we've taken, so I'm pretty certain they would be equally happy with the extra layer of protection we'd be able to provide were this proposal to be taken forward. 



-- 
GitHub Notification of comment by ncthbrt
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1656#issuecomment-894271912 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Friday, 6 August 2021 13:45:58 UTC