Web Authenticator API: cross-origin iframe support

Feature: Web Authenticator API: cross-origin iframe support

Adds support for web authentication calls from cross-origin iframes if enabled by a feature policy. This brings Chrome in line with the Web Authentication level two specification (https://w3c.github.io/webauthn/#sctn-iframe-guidance).

Motivation

There are two use cases that the working group is aware of: Firstly, there is interest in banks using this to comply with PSD2 regulations in the EU where they have to authenticate their users inside the context of a 3rd-party service-provider's site. Secondly, some sites wish to outsource their authentication to 3rd-party providers.

Documentation

None. WebAuthn actions will now be permitted when Feature Policy allows it.

Specification

Specification link

Status: Unknown standards status - check spec link for status

Status in Chromium

Blink components: Blink>WebAuthentication

Implementation status: Enabled by default (tracking bug)

Consensus & Standardization

After a feature ships in Chrome, the values listed here are not guaranteed to be up to date.

Firefox: Positive
Safari: No signal
Web Developers: No signals

Owner

agl@chromium.org

Search tags

webauthn,

Last updated on 2021-12-13