WebAuthn: Allow for credential creation in a cross-origin iframe

[stephenmcgruer]

Request for Mozilla Position on an Emerging Web Specification

• Specification title: WebAuthn
• Specification or proposal URL (if available): https://w3c.github.io/webauthn/#publickey-credentials-create-feature
• Explainer URL (if available):
• Proposal author(s) (@-mention GitHub accounts): @stephenmcgruer
• Caniuse.com URL (optional):
• Bugzilla URL (optional):
• Mozillians who can provide input (optional):

Other information

Hello Mozilla friends :)

I'm requested a formal standards position on the ability to create a credential in a cross-origin iframe in WebAuthn. This was added to the spec in https://github.com/w3c/webauthn/pull/1801, after having been discussed in https://github.com/w3c/webauthn/issues/1656 as well as in WebAuthn Working Group meetings.

This feature allows web developers to create WebAuthn credentials (that is, "publickey" credentials, aka passkeys) in cross-origin iframes. This will allow developers to create passkeys in embedded scenarios, such as after an identity step-up flow where the Relying Party is providing a federated identity experience. Two conditions are required for this new ability, for security reasons:

1. The iframe has a publickey-credentials-create-feature permission policy.
2. The iframe has transient user activation.

[jschanck]

This seems useful. It is common to prompt a user to create a credential on their current device (e.g. their laptop) after they have asserted a credential from a secondary device (e.g. their phone). If the initial assertion happens in a cross-origin iframe (which we currently allow), then the subsequent creation will also happen in a cross-origin iframe. The permission defined here enables this use case.

Suggest positive.