[WebAuthn] Enable Cross-Origin iframes via Feature-Policy

[bsmth]

Acceptance Criteria

• [x] The listed features are documented sufficiently on MDN
• [x] BCD is updated
• [ ] Interactive example and data repos are updated if appropriate
• [x] The content has been reviewed as needed

For folks helping with Firefox related documentation

• [x] Set bugs to dev-doc-complete
• [x] Add entry to Firefox release notes if feature is enabled in release
• [ ] Add entry to Firefox experimental features page if feature is not yet enabled in release

Features to document

publickey-credentials-get in Permissions-Policy allows for cross-origin credentials.get() which is currently only possible in Chrome. This is similar to D42445 but uses the correct name from https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy#directives

And:

In level two we supported cross-origin assertions (when allowed by the top-level) but omitted cross-origin creation because there wasn't anyone with a use-case.

We believe this will be useful in a payments context. When making a payment there are three (or four) parties involved. The customer seeks to authorise the payment. They are on the merchant's site. A bank needs to approve the payment, and there might be a payment processor between the merchant and the bank. If the bank can make a cross-origin assertion on the merchant page then that can greatly improve their confidence that the transaction is genuine. However, that assumes that the bank has a credential for the user, and that would be aided by being able to enroll users inline. Thus the desire for cross-origin creation.

Related Gecko bugs

• https://bugzilla.mozilla.org/show_bug.cgi?id=1460986

Other

• [x] Check content open issues to see if any pertain to the subject matter. If there are any that can be closed because of the work, do so. If there are any that can be fixed relatively quickly because of the knowledge from completing this issue and you have time, feel free to go ahead and fix them.
• [x] Check if glossary updates are required for the feature you're documenting - whether an existing term needs to be updated or a new term should be added.
• [x] Check if BCD update means that content pages need to have experimental markup removed or deprecated markup added (front matter tags and macros).

[hamishwillee]

FYI All the chat on the bug just means Permissions-Policy: publickey-credentials-get is supported as Feature-Policy: publickey-credentials-get. The stuff about creation means that nothing changed for Permissions-Policy: publickey-credentials-create.

Statuss

• [x] BCD https://github.com/mdn/browser-compat-data/pull/20711
• [x] Docs #29129
• [x] Release notes #29130
• [x] dev-docs-complete

[hamishwillee]

Note, the other linked BCD entry https://github.com/mdn/browser-compat-data/pull/20729 fell out of this issue, but is non-blocking.