privacy implications of cross-origin iframe

[npdoty]

Is this intended to support signing in to one relying party when that party is embedded on a different site? Are users supposed to distinguish which party they are signing into when they do this? That seems extremely ripe for confusion. It could be useful for tracking users across sites if the user is trying to sign in to Site A without realizing that what they are doing is providing their cross-origin identifier for Tracker B.

In what way are passkeys partitioned when accessed by a cross-origin embedded iframe?

(This issue includes several questions because the reviewer (that @npdoty guy) wasn't entirely confident in reading the spec on the exact implications, and the rest of the Privacy WG thought it was potentially very concerning, but couldn't be certain based on the reviewer's uncertainty.)

This item was raised and discussed by the Privacy WG as part of this privacy review:
w3cping/privacy-request#162

[timcappalli]

Is this intended to support signing in to one relying party when that party is embedded on a different site?

Yes, the primary use case is a payment service provider embedded in a merchant checkout flow.

In what way are passkeys partitioned when accessed by a cross-origin embedded iframe?

There is no concept of partitioning in WebAuthn, as there is nothing to partition.

Are users supposed to distinguish which party they are signing into when they do this?

Both origins are provided to the user. The omnibox shows the top frame, and the WebAuthn client UI shows either the calling origin (the iframe's origin) or the RP ID.