Support WebOTP in cross-origin iframe #50

yi-gu · 2020-11-27T17:09:02Z

In the initial launch of the WebOTP API, because we didn't find enough demand that outweighs the risk / complexity, we deliberately ignored the cross-origin iframe support. i.e. calling the API in a cross-origin iframe does not work.

With more partners requesting the feature, we should revisit the underlying privacy issue / risks and add the support if considered necessary.

Proposal

SMS format

There are ongoing discussions regarding how to update the existing "Origin-bound one-time codes delivered via SMS" specification to accommodate cross-origin iframes. We proposed the following format to preserve backward compatibility for other UAs:

@top #code @iframe

See the discussions for more details.

Nested iframes

From the extensibility’s point of view, we should support an arbitrary level of nested iframes in the long run. In theory, we should include origins from all the intermediate frames to reduce ambiguity. For example, consider the following artificial example:

store.com -> productA.com -> payment.com
store.com -> productB.com -> payment.com

On the random merchandise website store.com there are two products from two different origins. However both products use the same payment widget to verify the payment info. In this case, when payment.com sends out the SMS, it must include the intermediate origin otherwise the user will receive two SMSes with the same format:

SMS 1: @store.com #1234 @payment.com
SMS 2: @store.com #5678 @payment.com

However there are some practical concerns:

Including all intermediate origins may easily break the 160 character limit for SMS (and 67 char for UCS-2 encoding)
- Note: this could be mitigated in verification via email
Including all intermediate origins may confuse users
There are security concerns for the innermost iframe to access top-frame’s origin to use it in the SMS.

As a result, we proposed to limit the support to cross-origin iframes who have no more than 1 unique origin in its ancestor chain. In the following scenarios:

a.com -> b.com
a.com -> b.com -> b.com
a.com -> a.com -> b.com
a.com -> b.com -> c.com

using WebOTP in b.com will be supported but not in c.com.

Note that the following scenario is not supported because of lack of demand and UX complexities.

a.com -> b.com -> a.com

Permissions Policy

By default, navigator.credentials.get() requires a secure origin and all its ancestor frames must have the same origin as the requestor does. Therefore we should add an otp-credentials permissions policy to obtain the credentials assertions in cross-origin iframes. Note that navigator.credentials.create() is still disabled in cross-origin iframes. Sample usage:

<! -- top_origin.com -->
<iframe allow="otp-credentials" src="cross-origin.com"></iframe>

Chromium tracking issue: https://bugs.chromium.org/p/chromium/issues/detail?id=1136506

The text was updated successfully, but these errors were encountered:

Major changes: 1. Adds a new policy-controlled feature "otp-credentials" to allow the iframe to get credentials from its parent frame. 2. Supports parsing SMSes with format "@top.com #code @iframe.com" 3. Passes along a list of origins in the system instead of a single origin previously. More details on the context: WICG/web-otp#50 Bug: 1136506 Change-Id: Ic458e51c33b721a80204abb490776b436086bff4

Major changes: 1. Adds a new policy-controlled feature "otp-credentials" to allow the iframe to get credentials from its parent frame. 2. Supports parsing SMSes with format "@top.com #code @iframe.com" 3. Passes along a list of origins in the system instead of a single origin previously. More details on the context: WICG/web-otp#50 Bug: 1136506 Change-Id: Ic458e51c33b721a80204abb490776b436086bff4 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2497992 Commit-Queue: Yi Gu <yigu@chromium.org> Reviewed-by: Yaron Friedman <yfriedman@chromium.org> Reviewed-by: Ian Clelland <iclelland@chromium.org> Reviewed-by: Ken Buchanan <kenrb@chromium.org> Reviewed-by: Majid Valipour <majidvp@chromium.org> Cr-Commit-Position: refs/heads/master@{#831865}

Major changes: 1. Adds a new policy-controlled feature "otp-credentials" to allow the iframe to get credentials from its parent frame. 2. Supports parsing SMSes with format "@top.com #code @iframe.com" 3. Passes along a list of origins in the system instead of a single origin previously. More details on the context: WICG/web-otp#50 Bug: 1136506 Change-Id: Ic458e51c33b721a80204abb490776b436086bff4 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2497992 Commit-Queue: Yi Gu <yigu@chromium.org> Reviewed-by: Yaron Friedman <yfriedman@chromium.org> Reviewed-by: Ian Clelland <iclelland@chromium.org> Reviewed-by: Ken Buchanan <kenrb@chromium.org> Reviewed-by: Majid Valipour <majidvp@chromium.org> Cr-Commit-Position: refs/heads/master@{#831865}

…ross-origin iframes, a=testonly Automatic update from web-platform-tests [WebOTP] Prototyping WebOTP support in cross-origin iframes Major changes: 1. Adds a new policy-controlled feature "otp-credentials" to allow the iframe to get credentials from its parent frame. 2. Supports parsing SMSes with format "@top.com #code @iframe.com" 3. Passes along a list of origins in the system instead of a single origin previously. More details on the context: WICG/web-otp#50 Bug: 1136506 Change-Id: Ic458e51c33b721a80204abb490776b436086bff4 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2497992 Commit-Queue: Yi Gu <yigu@chromium.org> Reviewed-by: Yaron Friedman <yfriedman@chromium.org> Reviewed-by: Ian Clelland <iclelland@chromium.org> Reviewed-by: Ken Buchanan <kenrb@chromium.org> Reviewed-by: Majid Valipour <majidvp@chromium.org> Cr-Commit-Position: refs/heads/master@{#831865} -- wpt-commits: f7b85ab73e04994eea940c2a7a81f98c8bc75c14 wpt-pr: 26304

Major changes: 1. Adds a new policy-controlled feature "otp-credentials" to allow the iframe to get credentials from its parent frame. 2. Supports parsing SMSes with format "@top.com #code @iframe.com" 3. Passes along a list of origins in the system instead of a single origin previously. More details on the context: WICG/web-otp#50 Bug: 1136506 Change-Id: Ic458e51c33b721a80204abb490776b436086bff4 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2497992 Commit-Queue: Yi Gu <yigu@chromium.org> Reviewed-by: Yaron Friedman <yfriedman@chromium.org> Reviewed-by: Ian Clelland <iclelland@chromium.org> Reviewed-by: Ken Buchanan <kenrb@chromium.org> Reviewed-by: Majid Valipour <majidvp@chromium.org> Cr-Commit-Position: refs/heads/master@{#831865} GitOrigin-RevId: 5874e3cfc841949d2a808d50be2374028d2306e3

chromium-wpt-export-bot mentioned this issue Nov 27, 2020

[WebOTP] Prototyping WebOTP support in cross-origin iframes web-platform-tests/wpt#26304

Merged

yi-gu mentioned this issue Jan 28, 2021

Support WebOTP API and origin-bound one time code in cross-origin iframes w3ctag/design-reviews#604

Closed

1 task

yi-gu mentioned this issue Feb 8, 2021

Update usage in iframe && remove outdated files #51

Merged

yi-gu closed this as completed Aug 4, 2021

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Support WebOTP in cross-origin iframe #50

Support WebOTP in cross-origin iframe #50

yi-gu commented Nov 27, 2020

Support WebOTP in cross-origin iframe #50

Support WebOTP in cross-origin iframe #50

Comments

yi-gu commented Nov 27, 2020

Proposal

SMS format

Nested iframes

Permissions Policy