From 1afec06e5f293efcbec14592b456c8b5fc852651 Mon Sep 17 00:00:00 2001 From: Emil Lundberg Date: Tue, 14 Jan 2025 18:08:55 +0100 Subject: [PATCH] =?UTF-8?q?Address=20cross-origin=20create()=20in=20=C2=A7?= =?UTF-8?q?5.10?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- index.bs | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/index.bs b/index.bs index 40a4ab6e8..b8974211a 100644 --- a/index.bs +++ b/index.bs @@ -4535,7 +4535,12 @@ Note: Algorithms specified in [[!CREDENTIAL-MANAGEMENT-1]] perform the actual pe ## Using Web Authentication within iframe elements ## {#sctn-iframe-guidance} The [=Web Authentication API=] is disabled by default in cross-origin <{iframe}>s. -To override this default policy and indicate that a cross-origin <{iframe}> is allowed to invoke the [=Web Authentication API=]'s {{PublicKeyCredential/[DISCOVER-METHOD]}} method, specify the <{iframe/allow}> attribute on the <{iframe}> element and include the [=publickey-credentials-get-feature|publickey-credentials-get=] feature-identifier token in the <{iframe/allow}> attribute's value. +To override this default policy and indicate that a cross-origin <{iframe}> is allowed to invoke the [=Web Authentication API=]'s +{{PublicKeyCredential/[CREATE-METHOD]}} and {{PublicKeyCredential/[DISCOVER-METHOD]}} methods, +specify the <{iframe/allow}> attribute on the <{iframe}> element and include the +[=publickey-credentials-create-feature|publickey-credentials-create=] or +[=publickey-credentials-get-feature|publickey-credentials-get=] +feature-identifier token, respectively, in the <{iframe/allow}> attribute's value. [=[RPS]=] utilizing the WebAuthn API in an embedded context should review [[#sctn-seccons-visibility]] regarding [=UI redressing=] and its possible mitigations.