Passkeys: Permissions Policy support

[a2kolbasov]

Support of:

• https://www.w3.org/TR/webauthn-2/#sctn-permissions-policy
• https://www.w3.org/TR/webauthn-2/#sctn-iframe-guidance

Both legacy and draft APIs are used. If a browser doesn't support either of these, fallback to sameOriginWithAncestors mode.

Important

Firefox users need to go to about:config, find dom.security.featurePolicy.webidl.enabled and toggle it to true.

• Resolves Aliyun cannot log in with KeePassXC's passkey #2850
• Resolves KeepassXC Browser extenstion Fails to save Agekey passkey #2877
• and partially Can't add a Passkey on facebook #2808 (comment)

Testing strategy

1. In Chrome and Firefox on https://account.aliyun.com/login/login.htm via debugger checked that isAllowedByPolicy() === true.
2. In Firefox on https://accountscenter.facebook.com/passkey/management created a passkey.
3. In Chrome and Firefox on https://bafkreibpvliu64zcxj5uvu4a5ha3oxy4mgtmrylkmdtrfo6w6y2pprmjr4.ipfs.dweb.link/

Type of change

• ✅ Bug fix (non-breaking change that fixes an issue)
• ✅ New feature (change that adds functionality)

[varjolintu]

Doesn't this function override the iframe check? https://www.w3.org/TR/webauthn-2/#sctn-iframe-guidance

You allow a cross-origin iframe here automatically if the document has allowed a permission policy. It should be first checked if the current script is inside a cross-origin iframe and then check the permission policy.

[a2kolbasov]

iframe's allow attribute is a part of Permissions Policy.

Please read information on these 2 marked links.
https://www.w3.org/TR/webauthn-2/#sctn-iframe-guidance:~:text=the-,publickey%2Dcredentials%2Dget&text=in%20the-,allow

[varjolintu]

Yes, that's with the iframe element. Your change does not check if the current script is inside iframe or is it at the main document.

[a2kolbasov]

1. iframe's allow attribute is a part of Permissions policy.
2. The browser has reported that requests are allowed by Permissions policy.

Why do I need additional verification here?

[a2kolbasov]

Let's say the current script is inside an iframe. The main document has allowed WebAuthn to be used from this iframe. I introduced an additional check and found that the script is inside this iframe. What should I do with that information? Block the request? The specification, however, says the request must be allowed. It doesn't forbid such requests entirely. It forbids them by default (without an explicit indication on the main document's side that it's permitted).

[varjolintu]

Yes, but I think the script should do that check only if we are inside a cross-origin iframe.

[a2kolbasov]

In this case, only § 5.10 would be implemented, and all related PR issues would be resolved.

However, § 5.9 would not be implemented. A site can completely prohibit the use of WebAuthn via Permissions-Policy: publickey-credentials-get=() HTTP header, but that restriction won’t be enforced in the main document - as it currently stands.

[varjolintu]

According to the documentation, 5.9 is done only for publickey-credentials-get but this change does it for create too.

[a2kolbasov]

WebAuthn‑3 includes the create feature.
https://www.w3.org/TR/webauthn-3/#sctn-permissions-policy

As I understand it, you’re concerned that some older browser doesn’t know about create and will always return false. I’ll add an additional check.