Bug 234309

Summary: [WebAuthn] Allow same-site, cross-origin iframe get()
Product: WebKit Reporter: pascoe <pascoe>
Component: WebKit Misc.Assignee: pascoe <pascoe>
Status: RESOLVED FIXED    
Severity: Normal CC: bfulgham, cdumez, changseok, esprehn+autocc, ews-watchlist, gyuyoung.kim, jiewen_tan, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Bug Depends on:    
Bug Blocks: 234180    
Attachments:
Description Flags
Patch
none
Patch
none
Patch none

Description pascoe@apple.com 2021-12-14 13:33:14 PST 
WebAuthn Level 2 specifies a feature policy: https://w3c.github.io/webauthn/#sctn-iframe-guidance, functionality to get credentials from a cross-origin iframe should be enabled if the iframe has the allow="publickey-credentials-get" attribute/value pair.

This patch implements this functionality only for same-site, cross-origin i-frames.

This bug is to reland: https://bugs.webkit.org/show_bug.cgi?id=234180
Comment 1 Radar WebKit Bug Importer 2021-12-14 13:35:05 PST 
<rdar://problem/86486313>
Comment 2 pascoe@apple.com 2021-12-14 13:37:28 PST 
Created attachment 447153 [details]
Patch
Comment 3 pascoe@apple.com 2021-12-14 16:40:39 PST 
Created attachment 447177 [details]
Patch
Comment 4 pascoe@apple.com 2021-12-15 11:05:52 PST 
Created attachment 447260 [details]
Patch
Comment 5 Brent Fulgham 2021-12-15 12:52:24 PST 
Comment on attachment 447260 [details]
Patch

r=me
Comment 6 EWS 2021-12-15 16:54:14 PST 
Committed r287116 (245301@main): <https://commits.webkit.org/245301@main>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 447260 [details].