On Tue, May 2, 2023 at 8:31 AM Caleb Raitto <carai...@chromium.org> wrote:
> I think this was discussed before with mmenke@, but he's ooo: > > How does this feature work in cross-site iframes? What prevents the PRF > from acting as a cross site identifier (are credentials usable in cross > site iframes)? > WebAuthn works in cross-site iframes if the parent frame explicitly permits it <https://w3c.github.io/webauthn/#sctn-permissions-policy> with Permissions Policy, thus the prf extension can work too. A PRF value could be used as a tracking vector, but that would be a bit obtuse because WebAuthn credentials themselves already have a large random ID. The cross-origin iframe would still be limited by the RP ID mechanism <https://w3c.github.io/webauthn/#rp-id> so that it could only attempt to assert credentials created within the same eTLD+1, however. Fundamentally, as an authentication mechanism WebAuthn must be a method of identification. The balance is that WebAuthn requires a ceremony: browser UI plus authenticator activation (e.g. touching a security key). The PRF extension is part of a WebAuthn authentication and thus requires the same ceremony, it can never be triggered silently or anything like that. Cheers AGL -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAL9PXLz-Lpwu%2BnkC2WTNS5nCppLCY%2BCWKiJe15E0mBDvA9Zu_w%40mail.gmail.com.
