← Back to release summary

Allow for WebAuthn credential creation in a cross-origin iframe

Category

JavaScript

Type

Chromium catches up

Status

Enabled by default (Chrome Enabled by default)

Intent stage

None

Summary

This feature allows web developers to create WebAuthn[0] credentials (that is, "publickey" credentials, aka passkeys) in cross-origin iframes. Two conditions are required for this new ability: 1. The iframe has a publickey-credentials-create-feature permission policy. 2. The iframe has transient user activation. This will allow developers to create passkeys in embedded scenarios, such as after an identity step-up flow where the Relying Party is providing a federated identity experience. [0]: https://w3c.github.io/webauthn/

Motivation

Enable web developers to build flows where WebAuthn credentials are created from within a cross-origin iframe (for example, for authenticated embeds, payment scenarios, etc). Currently web developers instead would have to fully redirect the user or open a pop-up window, neither of which are great experiences for embedded authn.

Standards & signals

• Specification: https://w3c.github.io/webauthn/#publickey-credentials-create-feature
• Firefox: Positive
• Safari: No signal — No formal signal, but note that folks from Apple were against the proposal when discussed in the WebAuthn WG
• Web developers: Positive — Positive developer feedback on https://github.com/w3c/webauthn/issues/1656 (one example - https://github.com/w3c/webauthn/issues/1656#issuecomment-890819845) No known negative developer feedback
• Tracking bug: https://bugs.chromium.org/p/chromium/issues/detail?id=1420639

View on chromestatus.com