Passkeys: Cross-origin policies not enforced
The browser extension, doing the passkeys integration through its own JavaScript hook, seems to fail at validating (potentially complex) cross-origin policies that should be enforced by the user agent.
There's an existing playground that can be conveniently used to test various cross-origin behavior: https://webauthn-iframe-test.glitch.me/
In this playground, 1Password browser consistently gives prompts to use sign-in with passkeys even if it's not allowed by cross origin policies. Clicking on the security key button (which forwards to the native user agent implementation) will reject disallowed cases with a SecurityError.
Given the trickiness of doing origin policy validation using only JS / WebExtension API, I hope that a proper WebExtension API for the purpose of WebAuthn integration is pursued in the future.
1Password Version: 8.10.16
Extension Version: 2.15.1
OS Version: macOS 14, Linux
Browser: Chrome, Firefox