This feature allows web developers to create WebAuthn[0] credentials (that is, "publickey" credentials, aka passkeys) in cross-origin iframes. Two conditions are required for this new ability: 1. The iframe has a publickey-credentials-create-feature permission policy. 2. The iframe has transient user activation. This will allow developers to create passkeys in embedded scenarios, such as after an identity step-up flow where the Relying Party is providing a federated identity experience. [0]: https://w3c.github.io/webauthn/
There is only minor interoperability risk if other browsers do not adopt this change. In a browser that does not support credential creation inside a cross-origin iframe, attempting to call navigator.credentials.create results in an asynchronous-but-immediate error message indicating that creation cannot happen. This means that a developer can create a fallback flow of: 1. Have some button for the user, e.g. "register passkey", in the iframe 2. When the user clicks it, attempt to create a credential 3. If it fails due to an incompatible browser, instead use the click to open a pop-up window in which one *can* do the registration - a much poorer user flow but one that works.
To avoid malicious iframes from creating credentials (attempting to trick the user in some way), this feature requires both (a) a new permission policy set on the frame, and (b) a user gesture (so the user must click or interact with the iframe in some way).
Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications?
None
Existing devtools support suffices for this feature
In review: https://github.com/web-platform-tests/wpt/pull/43729 (Chrome Dev passes 5/5 added tests)
Shipping on desktop | 122 |
DevTrial on desktop | 122 |
Shipping on Android | 122 |
DevTrial on Android | 122 |
Already landed in the spec, no remaining changes expected.
I think erring on the side of requesting a signal here is a good
idea. :)
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CADY3MaeX7OPn44HzmaTraBj%3DYEaosz4Y-aYdDr4Y%2BT7mkm9A0Q%40mail.gmail.com.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscribe@chromium.org.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CADY3MaeX7OPn44HzmaTraBj%3DYEaosz4Y-aYdDr4Y%2BT7mkm9A0Q%40mail.gmail.com.
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/b090cb3c-ac2a-4080-a583-6d77f60e5d79n%40chromium.org.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscribe@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CADY3MaeX7OPn44HzmaTraBj%3DYEaosz4Y-aYdDr4Y%2BT7mkm9A0Q%40mail.gmail.com.
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscribe@chromium.org.
LGTM3