Allow for credential creation in a cross-origin iframe #1801
Conversation
|
cc @ve7jtb , who I believe wished to make sure that this was compatible with the previous L2 discussion on what create() in a cross-origin iframe would look like (particularly the permission policy name, I believe). |
|
This pull request was discussed at the Sept 21st, 2022 WebAuthn WG meeting. During that meeting, we heard the following concerns from Apple (and please @pascoej , correct me if I am misrepresenting your comments!)
I'd like to start by repeating (as we said in the meeting) that these concerns are not invalid and we appreciate where you are coming from. For 1 and 2; it is already the case today that a Relying Party could register a passkey for a purpose other than sign-in, and utilize it as so. Taking payment as an example; when visiting bank.com I could be asked to 'enroll a passkey to validate future payments when making online purchases'. Even though I was told by the Relying Party that it was for future payments only, that passkey would still show up in the password manager, and the bank could use it to do sign-in. This PR does not change that status quo. (There is also a deeper purpose discussion here; should WebAuthn be confined to sign-in and attempt - as much as it can[0] - to force Relying Parties down that road. Or, should WebAuthn take the view that passkeys are a verification method only, and what they are verifying is out of scope.) For 3, it is already possible today to produce a flow with pop-ups that is very close to what this PR enables. An iframe can, with user activation: open a pop-up window, immediately trigger credential.create() in that pop-up, and then close the pop-up instantly after completion. On desktop the pop-up can be made to be almost completely hidden, and on mobile the 'greying' of the screen for the passkey UX obscures the new origin in the URL bar. This demo site should demonstrate this—it has been tested on Chrome 105 and Safari 16.0 on MacOS, Chrome 105 on Android, and Safari on iOS 16.0. Given the existing situation and the ability of the browser to display additional UX for the iframe case if it wishes (see below), we do not think this PR significantly changes the status quo. Finally, for 4, as per the issue comment we acknowledge the slight increase in risk here, but believe that a combination of:
provides adequate defence. A browser could also, if it wished, add additional or clearer UX to warn the user that the create is occurring in an iframe. [0] I think the only real mechanism for this is the client/authenticator UI, incidentally. I don't believe there is a feasible way at the API level to constrain to sign-in. |
|
Hi folks; I had hoped to bring this PR up on today's call, but since it is cancelled pinging here instead. We are still waiting on a response here from Apple, and I would love to have that for next WebAuthn WG meeting if possible (2022/11/16). If there is no answer by the 16th (or during the call), I will be interested to know how the WebAuthn WG wants to proceed at that time (i.e., what the method is to resolve this PR one way or another). |
nadalin
requested review from
daniel-montalvo and
dveditz
and removed request for
daniel-montalvo
Ack - done, removed the TODO in eb32a68 |
|
Lgtm |
|
Post-vacations ping to @akshayku @timcappalli @ve7jtb - could you review this before this week's WebAuthn sync? (I.e. before the 11th). I'd like to get this merged. |
@stephenmcgruer, we may need one more WG meeting cycle due to holidays and vacations. Sorry for the delay. |
|
(This PR was discussed in the Jan 11 WebAuthn WG meeting. Overall it seems good, but @timcappalli intends to add a comment to request two changes to the PR - one in line with @ve7jtb's suggestion and one additional UX 'should' advisory.) |
stephenmcgruer
force-pushed
the
smcgruer/publickey-credentials-create
branch
from
eb32a68
to
1bdab8c
Compare
|
@timcappalli @ve7jtb - I've gone ahead and pushed two commits to this PR that add a note on the client making it clear to the user if the credential creation is in a cross-origin iframe, and also added a Hope this is somewhat along the lines of what you were each thinking - but if not no worries, happy to revise to whatever feedback you have :) |
|
(Merging as this is all green & blocking w3c/webappsec-credential-management#209 and some other work, feel free to open an issue for outstanding issues) |
SHA: 3ff766e Reason: push, by nsatragno Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
add mention and link to an informative Note a note and link w3c/webauthn#1801
…n registration #243 Add to an informative Note that WebAuthn Levels 1 and 2 do not support cross-origin registration, but level 3 is expected to, and link to pull request: w3c/webauthn#1801
As of w3c/webauthn#1801, the WebAuthn spec allows for credential creation in a cross-origin iframe, as long as the "publickey-credentials-create" permission policy is set AND there is a user activation for the call. Previously, Chrome supported this but only for 'payment' WebAuthn credentials*, which also used a different permission policy ("payment"). This CL updates Chrome to support calling credentials.create() for a publickey in a cross-origin iframe, as long as the above conditions are met. The behavior is behind a runtime-enabled flag, WebAuthnAllowCreateInCrossOriginFrame, which is currently set to "experimental". It will be set to stable once we have an approved I2S for this feature. This CL does NOT update the behavior for "payment" extension credentials, which still require the "payment" permission policy for now. crbug.com/1512605 and crbug.com/1512245 track the required changes there. * That is, credential creation calls in which the payment extension is specified. Bug: 1420639 Change-Id: Ic016f074cf0983206a4b2d5fc91e9675756cd159 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5013987 Reviewed-by: Rick Byers <rbyers@chromium.org> Commit-Queue: Stephen McGruer <smcgruer@chromium.org> Cr-Commit-Position: refs/heads/main@{#1238797}
|
LFG 🚀 |
…eate(), a=testonly Automatic update from web-platform-tests [WebAuthn] Add tests for cross-origin create() (#43729) See w3c/webauthn#1801 -- wpt-commits: d46f1aec78700b30ec633165cd51af2fd90bf3b6 wpt-pr: 43729
…eate(), a=testonly Automatic update from web-platform-tests [WebAuthn] Add tests for cross-origin create() (#43729) See w3c/webauthn#1801 -- wpt-commits: d46f1aec78700b30ec633165cd51af2fd90bf3b6 wpt-pr: 43729 UltraBlame original commit: 7533e06bd4f5950829eb0eb456a416b37d06e7bf
…eate(), a=testonly Automatic update from web-platform-tests [WebAuthn] Add tests for cross-origin create() (#43729) See w3c/webauthn#1801 -- wpt-commits: d46f1aec78700b30ec633165cd51af2fd90bf3b6 wpt-pr: 43729 UltraBlame original commit: 7533e06bd4f5950829eb0eb456a416b37d06e7bf
…eate(), a=testonly Automatic update from web-platform-tests [WebAuthn] Add tests for cross-origin create() (#43729) See w3c/webauthn#1801 -- wpt-commits: d46f1aec78700b30ec633165cd51af2fd90bf3b6 wpt-pr: 43729 UltraBlame original commit: 7533e06bd4f5950829eb0eb456a416b37d06e7bf
…eate(), a=testonly Automatic update from web-platform-tests [WebAuthn] Add tests for cross-origin create() (#43729) See w3c/webauthn#1801 -- wpt-commits: d46f1aec78700b30ec633165cd51af2fd90bf3b6 wpt-pr: 43729
See #1656
This PR adds the ability to call navigator.credentials.create() in a cross-origin
iframe (more exactly, a frame that is not same-origin with its ancestor chain),
as long as the following conditions are met:
It has a corresponding PR on the credential management spec; see
w3c/webappsec-credential-management#209
Preview | Diff