WebOTP API: cross-origin iframe support

Category: Miscellaneous
Type: Chromium catches up
Status: Enabled by default (Chrome 91)
Intent stage: Shipped

Summary

Adds support for WebOTP API calls from cross-origin iframes if enabled by a permission policy.

Motivation

The WebOTP API gives developers the ability to programmatically read one time codes from specially-formatted SMSes addressed to their origin to reduce user friction. Many sites embed iframes that handle authentication for them. We propose to support the API in cross-origin iframes to address feature requests from the web developer community (e.g. Shopify, iCloud) and improve interoperability.

Standards & signals

Specification: https://wicg.github.io/web-otp/
Firefox: Negative — Negative signals around the premise (using SMS), no clear signal regarding WebOTP API or iframe
Safari: Neutral — Safari is positive on the SMS format and has shipped the declarative API with cross-origin support in that format. They are neutral on the imperative WebOTP API in general.
Web developers: Positive
Tracking bug: https://crbug.com/1136506

Docs: https://docs.google.com/document/d/1dR-5-1O3SqAbQCRj_cBaQ7nQD5YlWzExcusmPcO2Xqs/edit?usp=sharing

Samples: https://output.jsbin.com/gilusuq/quiet

Explainers: https://github.com/WICG/web-otp/blob/master/README.md

View on chromestatus.com