Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

WebAuthn: Allow for credential creation in a cross-origin iframe #304

Open
stephenmcgruer opened this issue Jan 17, 2024 · 2 comments
Open
Assignees

Comments

@stephenmcgruer
Copy link

stephenmcgruer commented Jan 17, 2024

WebKittens

No response

Title of the spec

WebAuthn: allow for credential creation in a cross-origin iframe

URL to the spec

https://w3c.github.io/webauthn/#publickey-credentials-create-feature

URL to the spec's repository

https://github.com/w3c/webauthn

Issue Tracker URL

No response

Explainer URL

No response

TAG Design Review URL

No response

Mozilla standards-positions issue URL

No response

WebKit Bugzilla URL

No response

Radar URL

No response

Description

Hi WebKittens :)

I'm requested a formal standards position on the ability to create a credential in a cross-origin iframe in WebAuthn. This was added to the spec in w3c/webauthn#1801, after having been discussed in w3c/webauthn#1656 as well as in WebAuthn Working Group meetings.

This feature allows web developers to create WebAuthn credentials (that is, "publickey" credentials, aka passkeys) in cross-origin iframes. This will allow developers to create passkeys in embedded scenarios, such as after an identity step-up flow where the Relying Party is providing a federated identity experience. Two conditions are required for this new ability, for security reasons:

  1. The iframe has a publickey-credentials-create-feature permission policy.
  2. The iframe has transient user activation.
@marcoscaceres
Copy link
Contributor

@pascoej @rmondello, do either of you have opinions?

@holic
Copy link

holic commented Nov 8, 2024

Is there any way to detect support without calling navigator.credentials.create() or navigating.credentials.get()?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

5 participants