Thanks, makes sense -- can a note about this be added to the privacy section of the explainer / spec?
-Caleb On Tue, May 2, 2023 at 12:06 PM Adam Langley <a...@google.com> wrote: > On Tue, May 2, 2023 at 8:31 AM Caleb Raitto <carai...@chromium.org> wrote: > >> I think this was discussed before with mmenke@, but he's ooo: >> >> How does this feature work in cross-site iframes? What prevents the PRF >> from acting as a cross site identifier (are credentials usable in cross >> site iframes)? >> > > WebAuthn works in cross-site iframes if the parent frame explicitly permits > it <https://w3c.github.io/webauthn/#sctn-permissions-policy> with > Permissions Policy, thus the prf extension can work too. A PRF value could > be used as a tracking vector, but that would be a bit obtuse > because WebAuthn credentials themselves already have a large random ID. The > cross-origin iframe would still be limited by the RP ID mechanism > <https://w3c.github.io/webauthn/#rp-id> so that it could only attempt to > assert credentials created within the same eTLD+1, however. > > Fundamentally, as an authentication mechanism WebAuthn must be a method of > identification. The balance is that WebAuthn requires a ceremony: browser > UI plus authenticator activation (e.g. touching a security key). The PRF > extension is part of a WebAuthn authentication and thus requires the > same ceremony, it can never be triggered silently or anything like that. > > > Cheers > > AGL > -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CA%2B7y87rVqvUqG2FBrbKQ_67AbvFazStC7524JtzdmLk-YTg0pw%40mail.gmail.com.
