Closed stephenmcgruer closed 5 months ago
This seems useful. It is common to prompt a user to create a credential on their current device (e.g. their laptop) after they have asserted a credential from a secondary device (e.g. their phone). If the initial assertion happens in a cross-origin iframe (which we currently allow), then the subsequent creation will also happen in a cross-origin iframe. The permission defined here enables this use case.
Suggest positive
.
Request for Mozilla Position on an Emerging Web Specification
@
-mention GitHub accounts): @stephenmcgruerOther information
Hello Mozilla friends :)
I'm requested a formal standards position on the ability to create a credential in a cross-origin iframe in WebAuthn. This was added to the spec in https://github.com/w3c/webauthn/pull/1801, after having been discussed in https://github.com/w3c/webauthn/issues/1656 as well as in WebAuthn Working Group meetings.
This feature allows web developers to create WebAuthn credentials (that is, "publickey" credentials, aka passkeys) in cross-origin iframes. This will allow developers to create passkeys in embedded scenarios, such as after an identity step-up flow where the Relying Party is providing a federated identity experience. Two conditions are required for this new ability, for security reasons: