[webauthn] WebAuthn assertion disabled by default in cross-origin iframes (Emv 3D Secure flow) (#1589)

erhardbrand has just created a new issue for https://github.com/w3c/webauthn:

== WebAuthn assertion disabled by default in cross-origin iframes (Emv 3D Secure flow) ==
With the intention of enabling WebAuthn during the 3D Secure checkout process, we are struggling to get around the current limitations imposed on cross-origin iFrames.
The official way of supporting WebAuthn authentication within an cross-origin iframe would be for the merchant to change their iframe code to include:
allow="publickey-credentials-get *"
This is not always a feasible solution, as some issuers support 1000's of merchants, and requiring a code change to each and every merchant is a massive undertaking.

With this in mind we are required to look at interim solutions for a "migration phase" while merchants update their implementations to support the new Feature-Policy. One option include relying on a user-gesture to open a popup from within the issuer's iframe, which will then be able to to invoke WebAuthn assertion because the popup is running in the 1P context, however this approach has its own challenges.

To accelerate uptake, would it not be an option to enable the "publickey-credentials-get" Feature-Policy by default on cross-origin iframes? Would having this enabled by default negatively impact the security posture of the iframe?

Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1589 using your GitHub account

Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Thursday, 25 March 2021 14:45:48 UTC