You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Issue #1105 is about ensuring iframes are visible using IntersectionObserver and is still caught up. While we work out the details there, we should add language that explicitly prohibits use of WebAuthn from hidden or off-screen iframes, even if we don't have the algorithm fully worked out, so as to indicate the requirements in the future.
Firefox, for example, is highly unlikely to ever permit hidden iframes to trigger WebAuthn.
The text was updated successfully, but these errors were encountered:
From call of 2019-10-09: since the cross-origin case is disabled by default without an allow blessing, I'm not sure about the utility of this. If we force an iframe to be visible, it can still be white on a white background, so I couldn't use that in a security argument either I suspect. Thus I hope that disabled-by-default is a good safeguard and, if not, would be interested to know others' motivations.
We agree with the high-level direction of the proposal, and look forward to seeing the PR. Even if the notion of visibility is tricky to define, we’re in favor of attempting to make it clear that the API is intended to be used by visible frames only.
As an update, I'm still gathering feedback internally per @agl's comment above. Since there's feeling that this PR would not be welcome, I haven't finished shaping the language I was using until I get our internal temperature.
While we don't have a final decision from the Mozilla-side, @agl's arguments are persuasive about the UA's inability to codify our intent here. The threat modelling exercise for this led to #1336, which I feel is a more important concern to nail down than the concept of visibility for cross-origin frames. I also think user interaction is potentially more important than visibility (#1293). I will see if I can gather the necessary feedback internally to close this issue in favor of those (#1336, #1293) in the next ~week.