Passkeys: Cross-origin policies not enforced

Options
ishitatsuyuki
ishitatsuyuki
Community Member
in 1Password in the Browser

The browser extension, doing the passkeys integration through its own JavaScript hook, seems to fail at validating (potentially complex) cross-origin policies that should be enforced by the user agent.

There's an existing playground that can be conveniently used to test various cross-origin behavior: https://webauthn-iframe-test.glitch.me/

In this playground, 1Password browser consistently gives prompts to use sign-in with passkeys even if it's not allowed by cross origin policies. Clicking on the security key button (which forwards to the native user agent implementation) will reject disallowed cases with a SecurityError.

Given the trickiness of doing origin policy validation using only JS / WebExtension API, I hope that a proper WebExtension API for the purpose of WebAuthn integration is pursued in the future.

1Password Version: 8.10.16
Extension Version: 2.15.1
OS Version: macOS 14, Linux
Browser: Chrome, Firefox

This discussion has been closed.