Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Explicitly prohibit use of WebAuthn from non-visible cross-origin iframes #1303

Closed
jcjones opened this issue Sep 20, 2019 · 8 comments
Closed

Comments

@jcjones
Copy link
Contributor

jcjones commented Sep 20, 2019

Issue #1105 is about ensuring iframes are visible using IntersectionObserver and is still caught up. While we work out the details there, we should add language that explicitly prohibits use of WebAuthn from hidden or off-screen iframes, even if we don't have the algorithm fully worked out, so as to indicate the requirements in the future.

Firefox, for example, is highly unlikely to ever permit hidden iframes to trigger WebAuthn.

@akshayku
Copy link
Contributor

Agree with the proposal.

@nadalin
Copy link
Contributor

nadalin commented Sep 20, 2019

@jcjones Create PR

@jcjones
Copy link
Contributor Author

jcjones commented Oct 9, 2019

Update: I have this PR in progress and will get it posted soon.

@agl
Copy link
Contributor

agl commented Oct 9, 2019

From call of 2019-10-09: since the cross-origin case is disabled by default without an allow blessing, I'm not sure about the utility of this. If we force an iframe to be visible, it can still be white on a white background, so I couldn't use that in a security argument either I suspect. Thus I hope that disabled-by-default is a good safeguard and, if not, would be interested to know others' motivations.

@rmondello
Copy link

We agree with the high-level direction of the proposal, and look forward to seeing the PR. Even if the notion of visibility is tricky to define, we’re in favor of attempting to make it clear that the API is intended to be used by visible frames only.

@jcjones
Copy link
Contributor Author

jcjones commented Oct 16, 2019

As an update, I'm still gathering feedback internally per @agl's comment above. Since there's feeling that this PR would not be welcome, I haven't finished shaping the language I was using until I get our internal temperature.

@jcjones
Copy link
Contributor Author

jcjones commented Jan 8, 2020

While we don't have a final decision from the Mozilla-side, @agl's arguments are persuasive about the UA's inability to codify our intent here. The threat modelling exercise for this led to #1336, which I feel is a more important concern to nail down than the concept of visibility for cross-origin frames. I also think user interaction is potentially more important than visibility (#1293). I will see if I can gather the necessary feedback internally to close this issue in favor of those (#1336, #1293) in the next ~week.

@equalsJeffH
Copy link
Contributor

at the 2020-02-26 meeting, @jcjones, @agl, and @rmondello agreed that closing this issue is fine, no objections from room.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

6 participants