1430875 - WebAuthn navigator.credential.create throws DOMException in cross-origin iFrame

Status: RESOLVED INVALID

(Core :: DOM: Device Interfaces, defect)

Description

[Suby Raman]

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36

Steps to reproduce:

On Firefox Nightly 59.0a1

Browse to https://u2f.bin.coffee/iframe-webauthn.html

Attempt to create a credential.


Actual results:

Received error: NotAllowedError: The request is not allowed by the user agent or the platform in the current context, possibly because the user denied permission.


Expected results:

As of a few weeks ago, Firefox Nightly was allowing credential creation inside of an cross-origin iFrame (I am unsure of the version).

I have duplicated this locally with a proof of concept webauthn application; `navigator.credential.create()` results in a `DOMException` inside of a cross-origin iframe.

Comment 1

[J.C. Jones [:jcj] (he/they)]

This behavior was prohibited in Bug 1407789.

Credential Management added an algorithm to determine if a context "is same-origin with its ancestors" here:
https://github.com/w3c/webappsec-credential-management/pull/114/files

Web Authentication pulled in that change permitting frames only if the context "is same-origin with its ancestors" here: https://github.com/w3c/webauthn/pull/702/files

As the second Note says in 5.1.3 of WebAuthn [1], this is due to the "Origin Confusion" consideration in Credential Management, and is expected to be remedied using Feature-Policy once that spec is implemented.

[1] https://w3c.github.io/webauthn/#createCredential