Merge pull request #2231 from w3c/issue-2229-sctn-5-10-create

Address cross-origin create() in §5.10
w3c · Jan 20, 2025 · eef83ec · eef83ec
2 parents 34cc85e + 1afec06
commit eef83ec
Showing 1 changed file with 6 additions and 1 deletion.
diff --git a/index.bs b/index.bs
@@ -4476,7 +4476,12 @@ Note: Algorithms specified in [[!CREDENTIAL-MANAGEMENT-1]] perform the actual pe
 ## Using Web Authentication within <code>iframe</code> elements ## {#sctn-iframe-guidance}
 
 The [=Web Authentication API=] is disabled by default in cross-origin <{iframe}>s.
-To override this default policy and indicate that a cross-origin <{iframe}> is allowed to invoke the [=Web Authentication API=]'s {{PublicKeyCredential/[DISCOVER-METHOD]}} method, specify the <{iframe/allow}> attribute on the <{iframe}> element and include the <code>[=publickey-credentials-get-feature|publickey-credentials-get=]</code> feature-identifier token in the <{iframe/allow}> attribute's value.
+To override this default policy and indicate that a cross-origin <{iframe}> is allowed to invoke the [=Web Authentication API=]'s
+{{PublicKeyCredential/[CREATE-METHOD]}} and {{PublicKeyCredential/[DISCOVER-METHOD]}} methods,
+specify the <{iframe/allow}> attribute on the <{iframe}> element and include the
+<code>[=publickey-credentials-create-feature|publickey-credentials-create=]</code> or
+<code>[=publickey-credentials-get-feature|publickey-credentials-get=]</code>
+feature-identifier token, respectively, in the <{iframe/allow}> attribute's value.
 
 [=[RPS]=] utilizing the WebAuthn API in an embedded context should review [[#sctn-seccons-visibility]] regarding [=UI redressing=] and its possible mitigations.