Skip to content

Update SPC spec to reflect that credential create in cross-origin iframe is now allowed in WebAuthn #267

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
stephenmcgruer opened this issue Jan 26, 2024 · 1 comment · Fixed by #281
Closed

Update SPC spec to reflect that credential create in cross-origin iframe is now allowed in WebAuthn #267

stephenmcgruer opened this issue Jan 26, 2024 · 1 comment · Fixed by #281

Comments

@stephenmcgruer
Copy link
Collaborator

Currently the 'payment' extension is specified to allow credential creation in a cross-origin iframe:

1. Modify step 2 (the check for sameOriginWithAncestors) as follows:

    - If sameOriginWithAncestors is false:

        - If the [relevant global object](https://html.spec.whatwg.org/multipage/webappapis.html#concept-relevant-global), as determined by the calling [create()](https://w3c.github.io/webappsec-credential-management/#dom-credentialscontainer-create) implementation, does not have [transient activation](https://html.spec.whatwg.org/multipage/interaction.html#transient-activation):

            - Return a [DOMException](https://webidl.spec.whatwg.org/#idl-DOMException) whose name is "[SecurityError](https://webidl.spec.whatwg.org/#securityerror)", and terminate this algorithm.

    - [Consume user activation](https://html.spec.whatwg.org/multipage/interaction.html#consume-user-activation) of the [relevant global object](https://html.spec.whatwg.org/multipage/webappapis.html#concept-relevant-global).

Source

This uses the payment permission policy (source).

However, as of w3c/webauthn#1801, this behavior is now in the WebAuthn spec itself:

2. If sameOriginWithAncestors is false:

    - If the [relevant global object](https://html.spec.whatwg.org/multipage/webappapis.html#concept-relevant-global), as determined by the calling [create()](https://w3c.github.io/webappsec-credential-management/#dom-credentialscontainer-create) implementation, does not have [transient activation](https://html.spec.whatwg.org/multipage/interaction.html#transient-activation):

        - Throw a "[NotAllowedError](https://webidl.spec.whatwg.org/#notallowederror)" [DOMException](https://webidl.spec.whatwg.org/#idl-DOMException).

    - [Consume user activation](https://html.spec.whatwg.org/multipage/interaction.html#consume-user-activation) of the [relevant global object](https://html.spec.whatwg.org/multipage/webappapis.html#concept-relevant-global).

Source

As such, we can now remove the text from SPC. However, there's a slight hitch. Spot the difference between the above two bits of spec text?

If there isn't a transient activation, SPC throws a SecurityError DOMException. But WebAuthn throws a NotAllowedError.

So, we have a small web compat issue here. We should confirm with known SPC implementors if they are handling a SecurityError specifically during credential creation, and if changing it to NotAllowedError would break them.
@stephenmcgruer
Copy link
Collaborator Author

See also https://bugs.chromium.org/p/chromium/issues/detail?id=1512245, which is the Chrome tracking bug

stephenmcgruer added a commit that referenced this issue Feb 7, 2025
@stephenmcgruer
[Spec] Remove references to create in cross origin iframe
4728e88 
The WebAuthn specification now allows credential creation in a cross origin
iframe, as of w3c/webauthn#1801. As such, SPC no longer
needs to override or add this behavior.

We do retain (for now) the ability for the `"payment"` permission policy to
allow credential create in an iframe, instead of requiring
`"publickey-credentials-create"`. This should be removed one day, but one
small step to unification at a time :).

There is a small web-compat issue here. In the case of no transient user
activation, the SPC specification used to throw a `SecurityError` error.
However WebAuthn throws a `NotAllowed` error instead. See also Chrome bug
https://crbug.com/41484826

Fixes #267
@stephenmcgruer stephenmcgruer mentioned this issue Feb 7, 2025
Merged
stephenmcgruer added a commit that referenced this issue Feb 7, 2025
@stephenmcgruer
[Spec] Remove references to create in cross origin iframe
9ada5e5 
The WebAuthn specification now allows credential creation in a cross origin
iframe, as of w3c/webauthn#1801. As such, SPC no longer
needs to override or add this behavior.

We do retain (for now) the ability for the `"payment"` permission policy to
allow credential create in an iframe, instead of requiring
`"publickey-credentials-create"`. This should be removed one day, but one
small step to unification at a time :).

There is a small web-compat issue here. In the case of no transient user
activation, the SPC specification used to throw a `SecurityError` error.
However WebAuthn throws a `NotAllowed` error instead. See also Chrome bug
https://crbug.com/41484826

Fixes #267
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[Spec] Remove references to create in cross origin iframe w3c/secure-payment-confirmation
1 participant
@stephenmcgruer