[webauthn] §5.10 needs revision to mention cross-domain create in iframes (#2229) from Emil Lundberg via GitHub on 2025-01-14 (public-webauthn@w3.org from January 2025)

From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
Date: Tue, 14 Jan 2025 14:55:01 +0000
To: public-webauthn@w3.org
Message-ID: <issues.opened-2787389820-1736866499-sysbot+gh@w3.org>

emlun has just created a new issue for https://github.com/w3c/webauthn:

== §5.10 needs revision to mention cross-domain create in iframes ==
[§5.10. Using Web Authentication within iframe elements](https://w3c.github.io/webauthn/#sctn-iframe-guidance) reads in full:

>The [Web Authentication API](https://w3c.github.io/webauthn/#web-authentication-api) is disabled by default in cross-origin [iframe](https://html.spec.whatwg.org/multipage/iframe-embed-object.html#the-iframe-element)s. To override this default policy and indicate that a cross-origin [iframe](https://html.spec.whatwg.org/multipage/iframe-embed-object.html#the-iframe-element) is allowed to invoke the [Web Authentication API](https://w3c.github.io/webauthn/#web-authentication-api)'s [[[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors)](https://w3c.github.io/webauthn/#dom-publickeycredential-discoverfromexternalsource-slot) method, specify the [allow](https://html.spec.whatwg.org/multipage/iframe-embed-object.html#attr-iframe-allow) attribute on the [iframe](https://html.spec.whatwg.org/multipage/iframe-embed-object.html#the-iframe-element) element and include the [publickey-credentials-get](https://w3c.github.io/webauthn/#publickey-credentials-get-feature) feature-identifier token in the [allow](https://html.spec.whatwg.org/multipage/iframe-embed-object.html#attr-iframe-allow) attribute’s value.
>
>[Relying Parties](https://w3c.github.io/webauthn/#relying-party) utilizing the WebAuthn API in an embedded context should review [§ 13.4.2 Visibility Considerations for Embedded Usage](https://w3c.github.io/webauthn/#sctn-seccons-visibility) regarding [UI redressing](https://w3c.github.io/webauthn/#ui-redressing) and its possible mitigations.

Since merging #1801 this is also allowed in `create()` operations. The above section needs to be updated to mention this too.


Please view or discuss this issue at https://github.com/w3c/webauthn/issues/2229 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Tuesday, 14 January 2025 14:55:02 UTC