The WebOTP API (shipped in M84: launch bug, I2S) gives developers the ability to programmatically read OTP from SMSes that are delivered to the user’s phone that are addressed to their origin to reduce user friction.
In the initial launch of the API, we deliberately ignored the cross-origin iframe support. Post launch, to address such feature requests from partners (Shopify etc.) and also improve interoperability, we are proposing to support WebOTP in cross-origin iframes with
- an updated string on the permission dialog that includes the information of both the top frame and the cross-origin iframe (user facing)
- a new permissions policy that allows the top frame to enable the feature (developer facing)
- an updated SMS format that includes the domain of the cross-origin iframe (developer facing)
While Safari does not implement the imperative WebOTP API directly (they use a declarative API), we share the same SMS format. Safari raised the initial request of using sms-one-time-code in nested frames to support third party or a separate service run by the same party. Cross-origin iframe support was included in their launch of the declarative API. However the sms format related spec was not landed and we believe that there was room for improvement regarding how iframe is specified in the SMS. Therefore we proposed / drove consensus on a solution that addresses our concerns and also preserves backwards compatibility for Safari.
Explainer
https://github.com/WICG/web-otp/blob/master/README.mdSpecification
WebOTPAPI spec
YesDesign docs
https://docs.google.com/document/d/1dR-5-1O3SqAbQCRj_cBaQ7nQD5YlWzExcusmPcO2Xqs/edit?usp=sharingSummary
The WebOTP API (shipped in M84: launch bug, I2S) gives developers the ability to programmatically read OTP from SMSes that are delivered to the user’s phone that are addressed to their origin to reduce user friction.
In the initial launch of the API, we deliberately ignored the cross-origin iframe support. Post launch, to address such feature requests from partners (Shopify etc.) and also improve interoperability, we are proposing to support WebOTP in cross-origin iframes with
- an updated string on the permission dialog that includes the information of both the top frame and the cross-origin iframe (user facing)
- a new permissions policy that allows the top frame to enable the feature (developer facing)
On Tuesday, March 23, 2021 at 8:10:46 PM UTC+1 Yi Gu wrote:
I'd primarily suggest this as a part of a security review, but I note that the idea is to try to explain the concept of a nested web page to a user. My impression is that that particular ship has sailed. It is too complicated and technical to rely on any user making a proper informed decision.
Have you run this past the security people already? And how not-good would it be if people willy nilly accepts this permission?
/Daniel
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CACh2XCPOJBxC_Tk1LK5_27kN1VBJH_EcxGhfjYHGa-4hJpL%3DHQ%40mail.gmail.com.
----
Web developers: Lacking of cross-origin frame support blocks some partners (especially payment related sites) from adopting the API. We have received requests from them from different channels.
Is this feature fully tested by web-platform-tests?
Yes.
Tracking bug
https://crbug.com/1136506
Launch bug
https://crbug.com/1169375
Sample links
https://output.jsbin.com/gilusuq/quiet
Link to entry on the Chrome Platform Status
https://www.chromestatus.com/feature/5679508336148480
This intent message was generated by Chrome Platform Status.
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CACh2XCPOJBxC_Tk1LK5_27kN1VBJH_EcxGhfjYHGa-4hJpL%3DHQ%40mail.gmail.com.
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/62914319-dbee-d380-1bd7-6fc7b20947e6%40gmail.com.
Please email webkit-dev per bit.ly/blink-signals.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/bfa13b62-bffe-45ae-bf67-423b2824407fn%40chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOMQ%2Bw-7%3DTo-Ft2HGYd2WBG2bCddiKiOOihvqFQq6rsePe%2B%3Dqw%40mail.gmail.com.