Web Authenticator API: cross-origin iframe support

Category: Security
Type: New or changed feature
Status: Enabled by default (Chrome 84)
Intent stage: Evaluate readiness to ship

Summary

Adds support for web authentication calls from cross-origin iframes if enabled by a feature policy. This brings Chrome in line with the Web Authentication level two specification (https://w3c.github.io/webauthn/#sctn-iframe-guidance).

Motivation

There are two use cases that the working group is aware of: Firstly, there is interest in banks using this to comply with PSD2 regulations in the EU where they have to authenticate their users inside the context of a 3rd-party service-provider's site. Secondly, some sites wish to outsource their authentication to 3rd-party providers.

Standards & signals

Specification: https://w3c.github.io/webauthn/#sctn-iframe-guidance
Firefox: Positive — Firefox participates in the WebAuthn working group and approved the PR adding this to the spec.
Safari: No signal — Safari has an implementation of WebAuthn in developer previews of Safari but hasn't commented publicly about iframe support.
Web developers: No signals
Tracking bug: https://bugs.chromium.org/p/chromium/issues/detail?id=993007

Docs: None. WebAuthn actions will now be permitted when Feature Policy allows it.

Explainers: None.

View on chromestatus.com