Closed Bug 1402114 Opened 7 years ago Closed 6 years ago

[WebAuth] Feature should not be accessible in iframe by default

Categories

(Core :: DOM: Web Authentication, defect, P2)

Product:
Core
Component:
DOM: Web Authentication
Version:
57 Branch
Type:
defect

Tracking

()

Status:
RESOLVED WORKSFORME
Tracking Flags:
Tracking Status
firefox57 --- affected

People

(Reporter: mwobensmith, Assigned: jcj)

References

(Blocks 1 open bug,
URL
)

Details

As discussed during interop testing, and per Credential Management spec [1], this feature should be disabled by default when used in an iframe. [1] https://www.w3.org/TR/credential-management-1/#security-origin-confusion
Priority: -- → P2

It looks this is already the case. Looking at dom/credentialmanagement/CredentialsContainer.cpp, the Get, Create, and Store methods all call IsSameOriginWithAncestors, which ensures that they can only be called when the iframe is loaded from the same origin. The behavior on https://u2f.bin.coffee/iframe-webauthn.html seems to confirms that things are working as expected.

Yes, agreed. We're intending to open that up via Feature Policy, but I had entirely forgotten about this bug. Thanks!

Status: NEW → RESOLVED
Closed: 6 years ago
Component: DOM: Device Interfaces → DOM: Web Authentication
Resolution: --- → WORKSFORME

Going forward, this is going to need some Fission tests to show that this works with OOP iframes, if feature policy is supposed to be able to permit that.

Sorry commented on the wrong bug.

You need to log in before you can comment on or make changes to this bug.