W3C home > Mailing lists > Public > public-webauthn@w3.org > July 2021

Re: [webauthn] Cross-origin credential creation (#1656)

From: John Bradley via GitHub <sysbot+gh@w3.org>
Date: Wed, 28 Jul 2021 19:02:41 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-888547663-1627498958-sysbot+gh@w3.org>
Going back to @agl's issue.

Is this:
a) proposing that a site can create an iframe with the feature-policy publickey-credentials-create to allow the origin of the iframe to make a credential?   If so I support that.  There are situations like 3dSecure where the ACS is not the bank itself and needs to register a separate credential.   There are lots of other places where a SAAS IDP embeds an iframe on a enterprise login page to do authentication.  The problem as I think Duo pointed out is that offering to register a platform authenticator for next time won't currently work without doing a full page redirect that may take the user out of the flow they are expecting.

b) per Dirk's proposal on payments. Allow a site in a full page redirect to create a non-discoverable credential for a third site.  I see a lot of uses for that and would like to explore if there are any security/privacy issues with doing that.

GitHub Notification of comment by ve7jtb
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1656#issuecomment-888547663 using your GitHub account

Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Wednesday, 28 July 2021 19:02:43 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:44 UTC