Skip to content

Update SPC spec to reflect that credential create in cross-origin iframe is now allowed in WebAuthn #267

New issue
New issue
Closed
#281
Closed
Update SPC spec to reflect that credential create in cross-origin iframe is now allowed in WebAuthn#267
#281
@stephenmcgruer

Description

@stephenmcgruer
stephenmcgruer
opened on Jan 26, 2024

Currently the 'payment' extension is specified to allow credential creation in a cross-origin iframe:

1. Modify step 2 (the check for sameOriginWithAncestors) as follows:

    - If sameOriginWithAncestors is false:

        - If the [relevant global object](https://html.spec.whatwg.org/multipage/webappapis.html#concept-relevant-global), as determined by the calling [create()](https://w3c.github.io/webappsec-credential-management/#dom-credentialscontainer-create) implementation, does not have [transient activation](https://html.spec.whatwg.org/multipage/interaction.html#transient-activation):

            - Return a [DOMException](https://webidl.spec.whatwg.org/#idl-DOMException) whose name is "[SecurityError](https://webidl.spec.whatwg.org/#securityerror)", and terminate this algorithm.

    - [Consume user activation](https://html.spec.whatwg.org/multipage/interaction.html#consume-user-activation) of the [relevant global object](https://html.spec.whatwg.org/multipage/webappapis.html#concept-relevant-global).

Source

This uses the payment permission policy (source).

However, as of w3c/webauthn#1801, this behavior is now in the WebAuthn spec itself:

2. If sameOriginWithAncestors is false:

    - If the [relevant global object](https://html.spec.whatwg.org/multipage/webappapis.html#concept-relevant-global), as determined by the calling [create()](https://w3c.github.io/webappsec-credential-management/#dom-credentialscontainer-create) implementation, does not have [transient activation](https://html.spec.whatwg.org/multipage/interaction.html#transient-activation):

        - Throw a "[NotAllowedError](https://webidl.spec.whatwg.org/#notallowederror)" [DOMException](https://webidl.spec.whatwg.org/#idl-DOMException).

    - [Consume user activation](https://html.spec.whatwg.org/multipage/interaction.html#consume-user-activation) of the [relevant global object](https://html.spec.whatwg.org/multipage/webappapis.html#concept-relevant-global).

Source

As such, we can now remove the text from SPC. However, there's a slight hitch. Spot the difference between the above two bits of spec text?

If there isn't a transient activation, SPC throws a SecurityError DOMException. But WebAuthn throws a NotAllowedError.

So, we have a small web compat issue here. We should confirm with known SPC implementors if they are handling a SecurityError specifically during credential creation, and if changing it to NotAllowedError would break them.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions