- From: Nick Doty via GitHub <noreply@w3.org>
- Date: Thu, 14 Aug 2025 17:14:18 +0000
- To: public-webauthn@w3.org
npdoty has just created a new issue for https://github.com/w3c/webauthn: == privacy implications of cross-origin iframe == Is this intended to support signing in to one relying party when that party is embedded on a different site? Are users supposed to distinguish which party they are signing into when they do this? That seems extremely ripe for confusion. It could be useful for tracking users across sites if the user is trying to sign in to Site A without realizing that what they are doing is providing their cross-origin identifier for Tracker B. In what way are passkeys partitioned when accessed by a cross-origin embedded iframe? (This issue includes several questions because the reviewer (that @npdoty guy) wasn't entirely confident in reading the spec on the exact implications, and the rest of the Privacy WG thought it was potentially very concerning, but couldn't be certain based on the reviewer's uncertainty.) This item was raised and discussed by the Privacy WG as part of this privacy review: https://github.com/w3cping/privacy-request/issues/162 Please view or discuss this issue at https://github.com/w3c/webauthn/issues/2321 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Thursday, 14 August 2025 17:14:19 UTC