Closed Bug 1870863 Opened 5 months ago Closed 5 months ago

Web Authentication - Enable Cross-Origin iframes via Feature-Policy for credential creation


(Core :: DOM: Web Authentication, enhancement)




123 Branch
Tracking Status
firefox123 --- fixed


(Reporter: janne+mozilla, Assigned: janne+mozilla)


(Keywords: dev-doc-complete)


(1 file)

Steps to reproduce:

Tried to use the publickey-credentials-create Permissions-Policy to create a new credential in an iframe.

Actual results:

Was not allowed because the policy is ignored.

Expected results:

Should have worked.
This is pretty much the same as 1460986 but for credential creation instead of authentication.

Component: Untriaged → DOM: Web Authentication
OS: Unspecified → All
Product: Firefox → Core
Hardware: Unspecified → All

This is from the WebAuthn Level 3 standard and extends D174108 and D186245 with cross-origin credentials.create().

Assignee: nobody → janne+mozilla
Ever confirmed: true
Attachment #9369446 - Attachment description: Bug 1870863 - Implement publickey-credentials-create in Permissions-Policy. r=jschanck,keeler → Bug 1870863 - Implement publickey-credentials-create in Permissions-Policy. r=jschanck
Pushed by
Implement publickey-credentials-create in Permissions-Policy. r=jschanck
Closed: 5 months ago
Resolution: --- → FIXED
Target Milestone: --- → 123 Branch

MDN docs for this can be tracked in

I'm a little confused by this. The bug name is "Enable Cross-Origin iframes via Feature-Policy for credential creation" which implies that you could do something like this to allow WebAuthn credentials to be created in iframes with sources from the indicated subdomains:

  allow="publickey-credentials-create 'self'">

However the docs here state:

In addition, get() can be used in nested browsing contexts loaded from the same origin as the top-most document;
create() on the other hand cannot be used in <iframe>s.


  • How does this work?
  • Is the note above about create() incorrect?
  • Is it still the case that FF only allows feature-policy in iframe allow and not as the Feature-Policy/Permissions-Policy header?
  • Should compatibility data be similar to publickey-credentials-get and say something like "Only supported through the allow attribute on <iframe> elements."?
Flags: needinfo?(janne+mozilla)

Is there anyone else who can help answer ^^^? :jschanck I've added you to needinfo on assumption perhaps Janne is out of office.

Flags: needinfo?(jschanck)

The note about create() is incorrect. The option to allow create() through the publickey-credentials-create policy-control feature was added to the WebAuthn spec in and to the Credential Management spec in

By default, Firefox still only sets the policy through allow=... on the iframe, not through the header, and the compatibility data should reflect this.

Flags: needinfo?(jschanck)
Flags: needinfo?(janne+mozilla)

Thanks @John. I've updated the compatibility data appropriately.

The docs are updated with minor changes:

  • Docs said that a permission fail was a SecurityError, but it looks from spec like it is a NotAllowedError. Right?
  • Further, it looks like transient activation is required on the frame if that permission is allowed by a frame at point you get or create the credential.
    • Correct? And does FF require this too.
  • Fixed line about not being able to call create() in a frame. Is get() also cross origin now or is it still single origin?

The docs update is here - if you have time for a sanity check that would be much appreciated.

Flags: needinfo?(jschanck)

Thanks, Hamish.

  • NotAllowedError is correct.
  • The WebAuthn spec clearly requires / consumes transient activation in create(), but I believe it is not required in get(). I think there are difficulties in enforcing this when requests are conditionally mediated. I'll ask in the working group meeting tomorrow. Firefox consumes transient activation in create() (Bug 1877332).
  • There is also a policy control for cross-origin get(), which is implemented in Firefox (Bug 1460986).

Transient activation is required for cross-origin create() but is not generally required, as that would have broken some existing implementations. There's more context in

Flags: needinfo?(jschanck)

Thank you. Docs updated I have set this as dev-doc-complete, though docs/compatibility is still waiting review.

You need to log in before you can comment on or make changes to this bug.