API owners: It wasn't clear to me if I should still be formally requesting signals from WebKit and Gecko in the case of a change to an API (WebAuthn) where the change has been ratified + landed by the associated Working Group. The change is in some ways 'minor', but in other ways it is significant new behavior (allowing use of part of the API in cross-origin iframes, where it wasn't allowed before) and so perhaps requesting signals is warranted? Let me know please :D
On Wed, 17 Jan 2024 at 08:31, Stephen Mcgruer <smcgr...@chromium.org> wrote: > Contact emailssmcgr...@chromium.org > > ExplainerNone > > Specification > https://w3c.github.io/webauthn/#publickey-credentials-create-feature > > Summary > > This feature allows web developers to create WebAuthn[0] credentials (that > is, "publickey" credentials, aka passkeys) in cross-origin iframes. Two > conditions are required for this new ability: 1. The iframe has a > publickey-credentials-create-feature permission policy. 2. The iframe has > transient user activation. This will allow developers to create passkeys in > embedded scenarios, such as after an identity step-up flow where the > Relying Party is providing a federated identity experience. [0]: > https://w3c.github.io/webauthn/ > > Blink componentBlink>WebAuthentication > <https://bugs.chromium.org/p/chromium/issues/list?q=component:Blink%3EWebAuthentication> > > TAG reviewNone > > TAG review statusNot applicable > > Risks > Interoperability and Compatibility > > There is only minor interoperability risk if other browsers do not adopt > this change. In a browser that does not support credential creation inside > a cross-origin iframe, attempting to call navigator.credentials.create > results in an asynchronous-but-immediate error message indicating that > creation cannot happen. This means that a developer can create a fallback > flow of: 1. Have some button for the user, e.g. "register passkey", in the > iframe 2. When the user clicks it, attempt to create a credential 3. If it > fails due to an incompatible browser, instead use the click to open a > pop-up window in which one *can* do the registration - a much poorer user > flow but one that works. > > *Gecko*: No signal > > *WebKit*: No signal No formal signal, but note that folks from Apple were > against the proposal when discussed in the WebAuthn WG > > *Web developers*: Positive developer feedback on > https://github.com/w3c/webauthn/issues/1656 (one example - > https://github.com/w3c/webauthn/issues/1656#issuecomment-890819845). No > known negative developer feedback > > *Other signals*: > > Security > > To avoid malicious iframes from creating credentials (attempting to trick > the user in some way), this feature requires both (a) a new permission > policy set on the frame, and (b) a user gesture (so the user must click or > interact with the iframe in some way). > > WebView application risks > > Does this intent deprecate or change behavior of existing APIs, such that > it has potentially high risk for Android WebView-based applications? > > None > > Debuggability > > Existing devtools support suffices for this feature > > Will this feature be supported on all six Blink platforms (Windows, Mac, > Linux, ChromeOS, Android, and Android WebView)?Yes > > Is this feature fully tested by web-platform-tests > <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md> > ?Yes > > In review: https://github.com/web-platform-tests/wpt/pull/43729 (Chrome > Dev passes 5/5 added tests) > > Flag name on chrome://flagsNone > > Finch feature nameWebAuthAllowCreateInCrossOriginFrame > > Requires code in //chrome?False > > Tracking bughttps://bugs.chromium.org/p/chromium/issues/detail?id=1420639 > > Estimated milestones > Shipping on desktop 122 > DevTrial on desktop 122 > Shipping on Android 122 > DevTrial on Android 122 > Anticipated spec changes > > Already landed in the spec, no remaining changes expected. > > Link to entry on the Chrome Platform Status > https://chromestatus.com/feature/5175677674586112 > > Links to previous Intent discussionsIntent to prototype: > https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CADY3Maf7EmNUH1zYSi7DimKd5NfddYY3navNx3-ELPyeqHpPMw%40mail.gmail.com > > This intent message was generated by Chrome Platform Status > <https://chromestatus.com/>. > -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CADY3MaeX7OPn44HzmaTraBj%3DYEaosz4Y-aYdDr4Y%2BT7mkm9A0Q%40mail.gmail.com.
