Re: [webauthn] Cross-origin credential creation in iframes (#1656)

Just to move this conversation back on track, I'd like to reiterate what @emlum said:

> I don't think any multi-party transaction has been proposed here. The proposal is not to allow site A (merchant) to register credentials on behalf of site B (payment provider), rather that site A may embed site B in an iframe, in which site B may register credentials for site B. Communication between the user and site B will be direct and not pass through site A on the way (i.e., public keys and identifiers will not be exposed to site A), and site B is in full control of the registration ceremony just like it would be with a full page redirect.

At least for our use case, and to my understanding, Stripe's use case, this is true. I think this change request has been conflated with a more complicated, knottier ask that may not be in scope. 

-- 
GitHub Notification of comment by ncthbrt
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1656#issuecomment-895446292 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Monday, 9 August 2021 18:33:56 UTC