Support WebOTP in cross-origin iframe #50
Comments
chromium-wpt-export-bot
pushed a commit
to web-platform-tests/wpt
that referenced
this issue
Nov 27, 2020
Major changes: 1. Adds a new policy-controlled feature "otp-credentials" to allow the iframe to get credentials from its parent frame. 2. Supports parsing SMSes with format "@top.com #code @iframe.com" 3. Passes along a list of origins in the system instead of a single origin previously. More details on the context: WICG/web-otp#50 Bug: 1136506 Change-Id: Ic458e51c33b721a80204abb490776b436086bff4
chromium-wpt-export-bot
pushed a commit
to web-platform-tests/wpt
that referenced
this issue
Nov 30, 2020
Major changes: 1. Adds a new policy-controlled feature "otp-credentials" to allow the iframe to get credentials from its parent frame. 2. Supports parsing SMSes with format "@top.com #code @iframe.com" 3. Passes along a list of origins in the system instead of a single origin previously. More details on the context: WICG/web-otp#50 Bug: 1136506 Change-Id: Ic458e51c33b721a80204abb490776b436086bff4
chromium-wpt-export-bot
pushed a commit
to web-platform-tests/wpt
that referenced
this issue
Nov 30, 2020
Major changes: 1. Adds a new policy-controlled feature "otp-credentials" to allow the iframe to get credentials from its parent frame. 2. Supports parsing SMSes with format "@top.com #code @iframe.com" 3. Passes along a list of origins in the system instead of a single origin previously. More details on the context: WICG/web-otp#50 Bug: 1136506 Change-Id: Ic458e51c33b721a80204abb490776b436086bff4 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2497992 Commit-Queue: Yi Gu <yigu@chromium.org> Reviewed-by: Yaron Friedman <yfriedman@chromium.org> Reviewed-by: Ian Clelland <iclelland@chromium.org> Reviewed-by: Ken Buchanan <kenrb@chromium.org> Reviewed-by: Majid Valipour <majidvp@chromium.org> Cr-Commit-Position: refs/heads/master@{#831865}
chromium-wpt-export-bot
pushed a commit
to web-platform-tests/wpt
that referenced
this issue
Nov 30, 2020
Major changes: 1. Adds a new policy-controlled feature "otp-credentials" to allow the iframe to get credentials from its parent frame. 2. Supports parsing SMSes with format "@top.com #code @iframe.com" 3. Passes along a list of origins in the system instead of a single origin previously. More details on the context: WICG/web-otp#50 Bug: 1136506 Change-Id: Ic458e51c33b721a80204abb490776b436086bff4 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2497992 Commit-Queue: Yi Gu <yigu@chromium.org> Reviewed-by: Yaron Friedman <yfriedman@chromium.org> Reviewed-by: Ian Clelland <iclelland@chromium.org> Reviewed-by: Ken Buchanan <kenrb@chromium.org> Reviewed-by: Majid Valipour <majidvp@chromium.org> Cr-Commit-Position: refs/heads/master@{#831865}
pull bot
pushed a commit
to Alan-love/chromium
that referenced
this issue
Nov 30, 2020
Major changes: 1. Adds a new policy-controlled feature "otp-credentials" to allow the iframe to get credentials from its parent frame. 2. Supports parsing SMSes with format "@top.com #code @iframe.com" 3. Passes along a list of origins in the system instead of a single origin previously. More details on the context: WICG/web-otp#50 Bug: 1136506 Change-Id: Ic458e51c33b721a80204abb490776b436086bff4 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2497992 Commit-Queue: Yi Gu <yigu@chromium.org> Reviewed-by: Yaron Friedman <yfriedman@chromium.org> Reviewed-by: Ian Clelland <iclelland@chromium.org> Reviewed-by: Ken Buchanan <kenrb@chromium.org> Reviewed-by: Majid Valipour <majidvp@chromium.org> Cr-Commit-Position: refs/heads/master@{#831865}
moz-v2v-gh
pushed a commit
to mozilla/gecko-dev
that referenced
this issue
Dec 4, 2020
…ross-origin iframes, a=testonly Automatic update from web-platform-tests [WebOTP] Prototyping WebOTP support in cross-origin iframes Major changes: 1. Adds a new policy-controlled feature "otp-credentials" to allow the iframe to get credentials from its parent frame. 2. Supports parsing SMSes with format "@top.com #code @iframe.com" 3. Passes along a list of origins in the system instead of a single origin previously. More details on the context: WICG/web-otp#50 Bug: 1136506 Change-Id: Ic458e51c33b721a80204abb490776b436086bff4 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2497992 Commit-Queue: Yi Gu <yigu@chromium.org> Reviewed-by: Yaron Friedman <yfriedman@chromium.org> Reviewed-by: Ian Clelland <iclelland@chromium.org> Reviewed-by: Ken Buchanan <kenrb@chromium.org> Reviewed-by: Majid Valipour <majidvp@chromium.org> Cr-Commit-Position: refs/heads/master@{#831865} -- wpt-commits: f7b85ab73e04994eea940c2a7a81f98c8bc75c14 wpt-pr: 26304
sidvishnoi
pushed a commit
to sidvishnoi/gecko-webmonetization
that referenced
this issue
Dec 10, 2020
…ross-origin iframes, a=testonly Automatic update from web-platform-tests [WebOTP] Prototyping WebOTP support in cross-origin iframes Major changes: 1. Adds a new policy-controlled feature "otp-credentials" to allow the iframe to get credentials from its parent frame. 2. Supports parsing SMSes with format "@top.com #code @iframe.com" 3. Passes along a list of origins in the system instead of a single origin previously. More details on the context: WICG/web-otp#50 Bug: 1136506 Change-Id: Ic458e51c33b721a80204abb490776b436086bff4 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2497992 Commit-Queue: Yi Gu <yigu@chromium.org> Reviewed-by: Yaron Friedman <yfriedman@chromium.org> Reviewed-by: Ian Clelland <iclelland@chromium.org> Reviewed-by: Ken Buchanan <kenrb@chromium.org> Reviewed-by: Majid Valipour <majidvp@chromium.org> Cr-Commit-Position: refs/heads/master@{#831865} -- wpt-commits: f7b85ab73e04994eea940c2a7a81f98c8bc75c14 wpt-pr: 26304
Closed
1 task
mjfroman
pushed a commit
to mjfroman/moz-libwebrtc-third-party
that referenced
this issue
Oct 14, 2022
Major changes: 1. Adds a new policy-controlled feature "otp-credentials" to allow the iframe to get credentials from its parent frame. 2. Supports parsing SMSes with format "@top.com #code @iframe.com" 3. Passes along a list of origins in the system instead of a single origin previously. More details on the context: WICG/web-otp#50 Bug: 1136506 Change-Id: Ic458e51c33b721a80204abb490776b436086bff4 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2497992 Commit-Queue: Yi Gu <yigu@chromium.org> Reviewed-by: Yaron Friedman <yfriedman@chromium.org> Reviewed-by: Ian Clelland <iclelland@chromium.org> Reviewed-by: Ken Buchanan <kenrb@chromium.org> Reviewed-by: Majid Valipour <majidvp@chromium.org> Cr-Commit-Position: refs/heads/master@{#831865} GitOrigin-RevId: 5874e3cfc841949d2a808d50be2374028d2306e3
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
In the initial launch of the WebOTP API, because we didn't find enough demand that outweighs the risk / complexity, we deliberately ignored the cross-origin iframe support. i.e. calling the API in a cross-origin iframe does not work.
With more partners requesting the feature, we should revisit the underlying privacy issue / risks and add the support if considered necessary.
Proposal
SMS format
There are ongoing discussions regarding how to update the existing "Origin-bound one-time codes delivered via SMS" specification to accommodate cross-origin iframes. We proposed the following format to preserve backward compatibility for other UAs:
@top #code @iframeSee the discussions for more details.
Nested iframes
From the extensibility’s point of view, we should support an arbitrary level of nested iframes in the long run. In theory, we should include origins from all the intermediate frames to reduce ambiguity. For example, consider the following artificial example:
On the random merchandise website store.com there are two products from two different origins. However both products use the same payment widget to verify the payment info. In this case, when payment.com sends out the SMS, it must include the intermediate origin otherwise the user will receive two SMSes with the same format:
However there are some practical concerns:
Including all intermediate origins may easily break the 160 character limit for SMS (and 67 char for UCS-2 encoding)
Including all intermediate origins may confuse users
There are security concerns for the innermost iframe to access top-frame’s origin to use it in the SMS.
As a result, we proposed to limit the support to cross-origin iframes who have no more than 1 unique origin in its ancestor chain. In the following scenarios:
using WebOTP in b.com will be supported but not in c.com.
Note that the following scenario is not supported because of lack of demand and UX complexities.
Permissions Policy
By default,
navigator.credentials.get()requires a secure origin and all its ancestor frames must have the same origin as the requestor does. Therefore we should add anotp-credentialspermissions policy to obtain the credentials assertions in cross-origin iframes. Note thatnavigator.credentials.create()is still disabled in cross-origin iframes. Sample usage:Chromium tracking issue: https://bugs.chromium.org/p/chromium/issues/detail?id=1136506
The text was updated successfully, but these errors were encountered: