Hello,
I’m working on a cross-origin WebAuthn implementation where a parent page embeds an iframe from a different origin to perform authentication. According to the WebAuthn Level 3 spec (Section 7.1.1), when crossOrigin is true, the clientDataJSON may include topOrigin—but Safari does not seem to populate this field.
Observed Behavior:
Chrome/Firefox: Include topOrigin in clientDataJSON when crossOrigin: true.
Safari (macOS/iOS): Omits topOrigin even though crossOrigin is correctly set to true.
Example clientDataJSON from Safari:
{
"type": "webauthn.get",
"challenge": "...",
"origin": "https://iframe-origin.example.com",
"crossOrigin": true
// Missing `topOrigin` (expected: parent origin)
}
Questions:
-
Is this an intentional omission in Safari for privacy/security reasons?
-
Are there specific requirements (e.g., HTTP headers, permissions policies) needed for Safari to expose topOrigin?
-
Is there a known workaround to reliably obtain the top-level origin in cross-origin WebAuthn flows?
System Info:
Version 18.4 (20621.1.15.11.10) OS: Sequoia Version 18.4 (20621.1.15.11.10)
Reproduction Steps:
Parent page (https://parent.example.com) embeds an iframe (https://webauthn-rp.example.com).
The iframe calls navigator.credentials.get() with a WebAuthn challenge.
Safari returns clientDataJSON with crossOrigin: true but no topOrigin.
Code Snippet (iframe):
const credential = await navigator.credentials.get({
publicKey: {
challenge: new Uint8Array(/* ... */),
rpId: 'webauthn-rp.example.com',
allowCredentials: [],
hints: [],
userVerification: "preferred",
}
});
console.log(JSON.parse(atob(credential.response.clientDataJSON)));
Has anyone encountered this? Any insights would be greatly appreciated!