Allow IWAs to call WebAuthn [chromium/src : main]

0 views
Skip to first unread message

Olga Korokhina (Gerrit)

unread,
1:42 AM (4 hours ago) 1:42 AM
to Andrew Rayskiy, Jerome Jiang, Mirko Bonadei, android-bu...@system.gserviceaccount.com, Chris Thompson, Code Review Nudger, Simon Hangl, Martin Kreichgauer, Chromium LUCI CQ, chromium...@chromium.org, blink-re...@chromium.org, blink-...@chromium.org, kinuko...@chromium.org, mar...@chromium.org, browser-comp...@chromium.org, net-r...@chromium.org, eme-r...@chromium.org, devtools...@chromium.org, titoua...@chromium.org, chrome-intell...@chromium.org, chrome-intelligence-te...@google.com, feature-me...@chromium.org, penghuan...@chromium.org, jz...@chromium.org, cblume...@chromium.org, oshima...@chromium.org, ortuno...@chromium.org, fgal...@chromium.org, chromotin...@chromium.org, jshin...@chromium.org, droger+w...@chromium.org, derinel+wat...@google.com, webauthn...@chromium.org
Attention needed from Martin Kreichgauer

Olga Korokhina voted and added 4 comments

Votes added by Olga Korokhina

Commit-Queue+1

4 comments

Commit Message
Line 7, Patchset 70:Allow IWAs to call navigator.credentials methods
Martin Kreichgauer . resolved

```suggestion
Allow IWAs to call WebAuthn
```

Olga Korokhina

Changed, thank you.

Line 9, Patchset 70:Change adds IWA schema for allowed to proceed with WebAuthn VDI flow calls, introduces dedicated flag feature::kWebAuthnIWARemoteDesktopAllowedOriginsPolicy, check if IWA caller origin listed in webauthn::pref_names::kRemoteDesktopAllowedOrigins happens in existing code.
Martin Kreichgauer . unresolved

```suggestion
This exposes the WebAuthn API to calls from IWA origins. IWAs by default won't be able to claim any RP IDs, unless they're using the remoteDestkopClientOverride extension to act on behalf of another web origin. Access to this extension must be enabled for individual IWA origins via the webauthn.remote_desktop_allowed_origins enterprise policy.

Flag guarded by the device::kWebAuthnIWARemoteDesktopAllowedOriginsPolicy feature flag.
```

Olga Korokhina

Changed as you proposed but I am a bit concerned about policy naming, wouldn't it be better to use 'WebAuthenticationRemoteDesktopAllowedOrigins' instead of 'webauthn.remote_desktop_allowed_origins'?

Line 14, Patchset 70:Enabled-by-default-reason: WebAuthn for IWAs should be enabled
from the box
Martin Kreichgauer . resolved

```suggestion
Enabled-by-default-reason: Killswitch
```

Olga Korokhina

Changed, thank you

Line 16, Patchset 70:Fuchsia-Binary-Size: Adds ~16KB uncompressed to support WebAuthn for Isolated Web Apps, which is enabled by default.
Martin Kreichgauer . unresolved

I find it unlikely that this change is really adding that much to the Fuchsia binary. Try removing this please.

Olga Korokhina

Let's try, I added it here because of AI suggestion, probably no longer relevant indeed.

Open in Gerrit

Related details

Attention is currently required from:
  • Martin Kreichgauer
Submit Requirements:
  • requirement satisfiedCode-Coverage
  • requirement is not satisfiedCode-Owners
  • requirement satisfiedCode-Review
  • requirement is not satisfiedNo-Unresolved-Comments
  • requirement satisfiedReview-Enforcement
Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. DiffyGerrit
Gerrit-MessageType: comment
Gerrit-Project: chromium/src
Gerrit-Branch: main
Gerrit-Change-Id: Ie485f5d8ace040f2bd4a52ba24606a2d2732d7d1
Gerrit-Change-Number: 6865592
Gerrit-PatchSet: 71
Gerrit-Owner: Olga Korokhina <koro...@google.com>
Gerrit-Reviewer: Andrew Rayskiy <green...@google.com>
Gerrit-Reviewer: Martin Kreichgauer <mart...@google.com>
Gerrit-Reviewer: Olga Korokhina <koro...@google.com>
Gerrit-CC: Chris Thompson <cth...@chromium.org>
Gerrit-CC: Code Review Nudger <android-build...@prod.google.com>
Gerrit-CC: Jerome Jiang <ji...@chromium.org>
Gerrit-CC: Mirko Bonadei <mbon...@chromium.org>
Gerrit-CC: Simon Hangl <sim...@google.com>
Gerrit-Attention: Martin Kreichgauer <mart...@google.com>
Gerrit-Comment-Date: Fri, 24 Apr 2026 05:42:39 +0000
Gerrit-HasComments: Yes
Gerrit-Has-Labels: Yes
Comment-In-Reply-To: Martin Kreichgauer <mart...@google.com>
satisfied_requirement
unsatisfied_requirement
open
diffy
Reply all
Reply to author
Forward
0 new messages