[Webkit-unassigned] [Bug 222240] [WebAuthn] Using WebAuthn within cross-origin iframe elements

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Thu Oct 28 11:46:43 PDT 2021


https://bugs.webkit.org/show_bug.cgi?id=222240

--- Comment #7 from j_pascoe at apple.com <j_pascoe at apple.com> ---
I don't see the change being asked for here as providing any special way of of transmitting information between the embedded document and the embedder, even if it's cross-origin. All the current restrictions on communication between the embedding document and the embedded document would still apply.

The webauthn spec specifies that Web Authentication should be disabled in i-frames with a feature policy to allow it here: https://www.w3.org/TR/webauthn-2/#sctn-iframe-guidance 

If a cross-origin embedded site needs to convey information after authentication, they would still need to use existing mechanisms to do it.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20211028/17a09514/attachment.htm>


More information about the webkit-unassigned mailing list