Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update SPC spec to reflect that credential create in cross-origin iframe is now allowed in WebAuthn #267

Open
stephenmcgruer opened this issue Jan 26, 2024 · 1 comment
Open

Update SPC spec to reflect that credential create in cross-origin iframe is now allowed in WebAuthn #267

stephenmcgruer opened this issue Jan 26, 2024 · 1 comment

Comments

@stephenmcgruer
Copy link
Collaborator

Currently the 'payment' extension is specified to allow credential creation in a cross-origin iframe:

1. Modify step 2 (the check for sameOriginWithAncestors) as follows:

    - If sameOriginWithAncestors is false:

        - If the [relevant global object](https://html.spec.whatwg.org/multipage/webappapis.html#concept-relevant-global), as determined by the calling [create()](https://w3c.github.io/webappsec-credential-management/#dom-credentialscontainer-create) implementation, does not have [transient activation](https://html.spec.whatwg.org/multipage/interaction.html#transient-activation):

            - Return a [DOMException](https://webidl.spec.whatwg.org/#idl-DOMException) whose name is "[SecurityError](https://webidl.spec.whatwg.org/#securityerror)", and terminate this algorithm.

    - [Consume user activation](https://html.spec.whatwg.org/multipage/interaction.html#consume-user-activation) of the [relevant global object](https://html.spec.whatwg.org/multipage/webappapis.html#concept-relevant-global).

Source

This uses the payment permission policy (source).

However, as of w3c/webauthn#1801, this behavior is now in the WebAuthn spec itself:

2. If sameOriginWithAncestors is false:

    - If the [relevant global object](https://html.spec.whatwg.org/multipage/webappapis.html#concept-relevant-global), as determined by the calling [create()](https://w3c.github.io/webappsec-credential-management/#dom-credentialscontainer-create) implementation, does not have [transient activation](https://html.spec.whatwg.org/multipage/interaction.html#transient-activation):

        - Throw a "[NotAllowedError](https://webidl.spec.whatwg.org/#notallowederror)" [DOMException](https://webidl.spec.whatwg.org/#idl-DOMException).

    - [Consume user activation](https://html.spec.whatwg.org/multipage/interaction.html#consume-user-activation) of the [relevant global object](https://html.spec.whatwg.org/multipage/webappapis.html#concept-relevant-global).

Source

As such, we can now remove the text from SPC. However, there's a slight hitch. Spot the difference between the above two bits of spec text?

If there isn't a transient activation, SPC throws a SecurityError DOMException. But WebAuthn throws a NotAllowedError.

So, we have a small web compat issue here. We should confirm with known SPC implementors if they are handling a SecurityError specifically during credential creation, and if changing it to NotAllowedError would break them.
@stephenmcgruer
Copy link
Collaborator Author

See also https://bugs.chromium.org/p/chromium/issues/detail?id=1512245, which is the Chrome tracking bug

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@stephenmcgruer