-
Notifications
You must be signed in to change notification settings - Fork 180
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Explicitly prohibit use of WebAuthn from non-visible cross-origin iframes #1303
Comments
Agree with the proposal. |
@jcjones Create PR |
Update: I have this PR in progress and will get it posted soon. |
From call of 2019-10-09: since the cross-origin case is disabled by default without an |
We agree with the high-level direction of the proposal, and look forward to seeing the PR. Even if the notion of visibility is tricky to define, we’re in favor of attempting to make it clear that the API is intended to be used by visible frames only. |
As an update, I'm still gathering feedback internally per @agl's comment above. Since there's feeling that this PR would not be welcome, I haven't finished shaping the language I was using until I get our internal temperature. |
While we don't have a final decision from the Mozilla-side, @agl's arguments are persuasive about the UA's inability to codify our intent here. The threat modelling exercise for this led to #1336, which I feel is a more important concern to nail down than the concept of visibility for cross-origin frames. I also think user interaction is potentially more important than visibility (#1293). I will see if I can gather the necessary feedback internally to close this issue in favor of those (#1336, #1293) in the next ~week. |
at the 2020-02-26 meeting, @jcjones, @agl, and @rmondello agreed that closing this issue is fine, no objections from room. |
Issue #1105 is about ensuring iframes are visible using IntersectionObserver and is still caught up. While we work out the details there, we should add language that explicitly prohibits use of WebAuthn from hidden or off-screen iframes, even if we don't have the algorithm fully worked out, so as to indicate the requirements in the future.
Firefox, for example, is highly unlikely to ever permit hidden iframes to trigger WebAuthn.
The text was updated successfully, but these errors were encountered: