Prohibit Create Credential from cross-origin iframes (#1394)

* Prohibit Create Credential from cross-origin iframes This reverts part of PR #1276, again prohibiting the use of the Create method when `sameOriginWithAncestors` is `false`. The `Note` is simplified, since the integration between Credential Management and Feature Policy is now complete. * Split the feature-policy definition, per review comments * Apply suggestions from code review Co-Authored-By: =JeffH <[email protected]> Co-authored-by: =JeffH <[email protected]>
w3c · Apr 9, 2020 · 6626671 · 6626671
1 parent 50679f5
commit 6626671
Showing 1 changed file with 7 additions and 5 deletions.
diff --git a/index.bs b/index.bs
@@ -1428,6 +1428,10 @@ When this method is invoked, the user agent MUST execute the following algorithm
 
 1. Assert: <code>|options|.{{CredentialCreationOptions/publicKey}}</code> is [=present=].
 
+1. If <var ignore>sameOriginWithAncestors</var> is [FALSE], return a "{{NotAllowedError}}" {{DOMException}}.
+
+    Note: This "sameOriginWithAncestors" restriction aims to address a tracking concern raised in [Issue #1336](https://github.com/w3c/webauthn/issues/1336). This may be revised in future versions of this specification.
+
 1. Let |options| be the value of <code>|options|.{{CredentialCreationOptions/publicKey}}</code>.
 
 1. If the {{PublicKeyCredentialCreationOptions/timeout}} member of |options| is [=present=], check if its value lies within a
@@ -3005,13 +3009,12 @@ needs.
 
 ## Feature Policy integration ## {#sctn-feature-policy}
 
-This specification defines a [=policy-controlled feature=] identified by
-the feature-identifier token "<code><dfn data-lt="publickey-credentials-feature" export>publickey-credentials</dfn></code>".
+This specification defines one [=policy-controlled features=] identified by
+the feature-identifier token "<code><dfn data-lt="publickey-credentials-feature" export>publickey-credentials-get</dfn></code>".	
 Its [=default allowlist=] is '<code>self</code>'. [[!Feature-Policy]]
 
 A {{Document}}'s [=Document/feature policy=] determines whether any content in that <a href="https://html.spec.whatwg.org/multipage/dom.html#documents">document</a> is
 [=allowed to use|allowed to successfully invoke=] the [=Web Authentication API=], i.e., via
-<code><a idl for="CredentialsContainer" lt="create()">navigator.credentials.create({publicKey:..., ...})</a></code> and
 <code><a idl for="CredentialsContainer" lt="get()">navigator.credentials.get({publicKey:..., ...})</a></code>.
 If disabled in any document, no content in the document will be [=allowed to use=]
 the foregoing methods: attempting to do so will [return an error](https://www.w3.org/2001/tag/doc/promises-guide#errors).
@@ -3023,8 +3026,7 @@ Note: Algorithms specified in [[!CREDENTIAL-MANAGEMENT-1]] perform the actual fe
 ## Using Web Authentication within <code>iframe</code> elements ## {#sctn-iframe-guidance}
 
 The [=Web Authentication API=] is disabled by default in cross-origin <{iframe}>s.
-To override this default policy and indicate that a cross-origin <{iframe}> is allowed to invoke the [=Web Authentication API=], specify the <{iframe/allow}> attribute on the <{iframe}> element and include the <code><a data-lt="publickey-credentials-feature">publickey-credentials</a></code> feature-identifier token in the <{iframe/allow}> attribute's value.
-
+To override this default policy and indicate that a cross-origin <{iframe}> is allowed to invoke the [=Web Authentication API=]'s {{PublicKeyCredential/[[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors)}} method, specify the <{iframe/allow}> attribute on the <{iframe}> element and include the <code><a data-lt="publickey-credentials-get-feature">publickey-credentials-get</a></code> feature-identifier token in the <{iframe/allow}> attribute's value.