This feature allows web developers to create WebAuthn credentials (that is, "publickey" credentials, aka passkeys) in cross-origin iframes. This will allow developers to create passkeys in embedded scenarios, such as after an identity step-up flow where the Relying Party is providing a federated identity experience. Two conditions are required for this new ability, for security reasons:
The iframe has a publickey-credentials-create-feature permission policy.
WebKittens
No response
Title of the spec
WebAuthn: allow for credential creation in a cross-origin iframe
URL to the spec
https://w3c.github.io/webauthn/#publickey-credentials-create-feature
URL to the spec's repository
https://github.com/w3c/webauthn
Issue Tracker URL
No response
Explainer URL
No response
TAG Design Review URL
No response
Mozilla standards-positions issue URL
No response
WebKit Bugzilla URL
No response
Radar URL
No response
Description
Hi WebKittens :)
I'm requested a formal standards position on the ability to create a credential in a cross-origin iframe in WebAuthn. This was added to the spec in https://github.com/w3c/webauthn/pull/1801, after having been discussed in https://github.com/w3c/webauthn/issues/1656 as well as in WebAuthn Working Group meetings.
This feature allows web developers to create WebAuthn credentials (that is, "publickey" credentials, aka passkeys) in cross-origin iframes. This will allow developers to create passkeys in embedded scenarios, such as after an identity step-up flow where the Relying Party is providing a federated identity experience. Two conditions are required for this new ability, for security reasons: