Revise same-origin as ancestor requirements #1001
Comments
|
Not putting this in the spec until L2 means that certain relying party use cases (which seem to be important for adoption) won't be implementable for at least a year. Any chance we could do this for L1? |
|
Talking to Jeff, there are WebAppSec dependencies to get this to work securely. While I think we all want this to work, just removing the restriction in WebAutn is not sufficient to have it work securely. We should try to sort this out so that at least not block it working once the other parts come together. That, however, may be difficult to capture in spec language. |
|
@equalsJeffH: What are the WebAppSec dependencies? Can y'all not just accept |
|
@mikewest - are arbitrary cross-origin mashups presently secure? If we were to "just accept i.e., IIUC, if we accept ...Yes? Is IntersectionObserver2 still just a "proposal"? It seems to me that RPs would be well served by being able to invoke something like " Compute whether a Target is unoccluded, untransformed, unfiltered, and opaque"... Do we know what the exact list of things we need to add to the webauthn spec in order to not hand RPs a footgun? WDYT? thanks! |
|
We might want to add a note to the security considerations to point to intersection observer 2 (io2). |
|
See also #969 |
Opened #1105 |
Picking up where we left off on w3c/webappsec-credential-management#3 and related to #873 and #911...
There is a need by some relying parties to be able to use WebAuthn in child browsing contexts (e.g. - iframes, child windows, etc.). Currently WebAuthn requires
sameOriginWithAncestorswhich prevents these use cases.@equalsJeffH had put together an initial proposal on how this might work and presented it during a meeting and we didn't hear anyone complain.
The text was updated successfully, but these errors were encountered: