Prohibit Create Credential from cross-origin iframes #1394
Conversation
|
This will also need to rebase on #1393. |
Do we? |
|
Or rename the feature policy, at least? I thought the idea was that if we decide later to allow MakeCredential from cross-origin iframes, we would need a new feature policy, so as not to change the behavior of an existing one for sites that might be using it. So the feature policy being added for this should correspond specifically to GetAssertion, if I understand correctly. |
|
We agreed at the F2F to split the policy so we could add make credential later if we decide to without breaking the current get behavior. |
|
Discussed on the call: we're going to rename with, for example, -create and -get. |
This reverts part of PR w3c#1276, again prohibiting the use of the Create method when `sameOriginWithAncestors` is `false`. The `Note` is simplified, since the integration between Credential Management and Feature Policy is now complete.
jcjones
force-pushed
the
1336-prohibit_create_from_xorigin_iframes
branch
from
c7a8576
to
454fc75
Compare
|
Thanks for the reviews; see what you think of this revision. |
|
on 2020-04-01 call: @equalsJeffH & @akshayku to review |
There was a problem hiding this comment.
thanks @jcjones -- overall LGTM, however feedback at this time from chrome implementor is that he does not advise defining a publickey-credentials-create policy at this time because at least some code for it would end up in browsers and just sit there (see changelist). So I'm intending to update the list of defined feature policies and define only publickey-credentials-get. Suggestions below as a result...
Co-Authored-By: =JeffH <jdhodges@google.com>
|
on 2020-04-08 call: @equalsJeffH to re-review and merge if good |
Due to WebAuthn issue #1336, the WebAuthn's "publickey-credentials" feature policy is renamed to "publickey-credentials-get", allowing only authentication (aka "getting an assertion") in cross-origin iframes. Credential creation is not allowed in cross-origin iframes, although it remains allowed by default (no feature-policy required) in same-origin-with-ancestors iframes. See also w3c/webauthn#1394, and https://w3c.github.io/webauthn/#sctn-feature-policy
|
feature policy name change PR submitted: w3c/webappsec-permissions-policy#370 "Update publickey-credentials to be "get-only" policy" |
Due to WebAuthn issue #1336, the WebAuthn's "publickey-credentials" feature policy is renamed to "publickey-credentials-get", allowing only authentication (aka "getting an assertion") in cross-origin iframes. Credential creation is not allowed in cross-origin iframes, although it remains allowed by default (no feature-policy required) in same-origin-with-ancestors iframes. See also w3c/webauthn#1394, and https://w3c.github.io/webauthn/#sctn-feature-policy
The WebAuthn spec has removed the ability to allow cross-origin iframes to perform Web Authentication MakeCredential requests. This CL restricts it to just GetAssertion, and reflects the renamed Feature Policy. Feature Policy spec change: w3c/webappsec-permissions-policy#370 WebAuthn spec change: w3c/webauthn#1394 Bug: 993007 Change-Id: I9b5ccf05b5e39a5e5920b475111cdf797dcdb5a5 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2120268 Reviewed-by: Martin Kreichgauer <martinkr@google.com> Reviewed-by: Jeremy Roman <jbroman@chromium.org> Reviewed-by: Ian Clelland <iclelland@chromium.org> Commit-Queue: Ken Buchanan <kenrb@chromium.org> Cr-Commit-Position: refs/heads/master@{#764743}
Feature Policy directive controlling WebAuth was renamed from
publickey-credentials to publickey-credentials-get.
Sources:
Feature Policy change:
w3c/webappsec-permissions-policy#370
WebAuthn specification change:
w3c/webauthn#1394
Chrome already updated the name:
https://crbug.com/993007#c9
This reverts part of PR #1276, again prohibiting the use of the Create method when
sameOriginWithAncestorsisfalse. TheNoteis simplified, since the integration between Credential Management and Feature Policy is now complete.Preview | Diff