[Webkit-unassigned] [Bug 222240] [WebAuthn] Using WebAuthn within cross-origin iframe elements
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu Oct 28 11:25:38 PDT 2021
https://bugs.webkit.org/show_bug.cgi?id=222240
--- Comment #6 from John Wilander <wilander at apple.com> ---
The Storage Access API is the only shipping way to request a cross-site identity and the prompt tells the user that their activity may be tracked by the requesting party if they grant access.
Cross-site WebAuthn would have to convey the same information since as soon as the user is identified, that identity can be shared with the first party website or stored by the third-party in first-party storage.
This is not the same as asking for permission to use device features such as camera. This is about user identity and linking of user identity across websites.
See WebKit's tracking prevention policy: https://webkit.org/tracking-prevention-policy/
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20211028/d59052e2/attachment.htm>
More information about the webkit-unassigned
mailing list