[Webkit-unassigned] [Bug 222240] [WebAuthn] Using WebAuthn within cross-origin iframe elements

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Thu Oct 28 11:09:34 PDT 2021


https://bugs.webkit.org/show_bug.cgi?id=222240

--- Comment #5 from j_pascoe at apple.com <j_pascoe at apple.com> ---
I'm curious about what allowing WebAuthn within a cross-origin i-frame might reveal. The dialog messages show what site is requesting the WebAuthn panel. 

For example, if we implement this and site1.com embeds a google.com webauthn login page, the dialog would show "google.com" is asking to login.

I have seen some discussion of the embedded document obtaining information about the state of the embedding page via if certain calls pass/fail (therefore obtaining information about the i-frame's allow property) here: https://www.w3.org/TR/permissions-policy-1/#privacy-expose-policy . But we already implement several feature policies for camera, fullscreen, microphone, etc in https://github.com/WebKit/WebKit/blob/main/Source/WebCore/html/FeaturePolicy.cpp . I don't see anything anything special about WebAuthn where we might want to restrict the use further.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20211028/a4124471/attachment.htm>


More information about the webkit-unassigned mailing list