Fall back to related origins request in Safari for cross-origin passkeys. #3594
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
sea-snake
changed the title
Contributor
There was a problem hiding this comment.
Pull request overview
This pull request implements a fallback mechanism for cross-origin passkey authentication in Safari, which doesn't support WebAuthn credential creation in iframes. The solution uses WebAuthn's related origins request feature for Safari browsers (desktop and iOS) while maintaining iframe-based authentication for other browsers.
Changes:
- Adds Safari/iOS browser detection to disable iframe rendering and fall back to related origins requests
- Implements
rpIdparameter in WebAuthn options to enable cross-origin passkey operations using related origins - Enables the
GUIDED_UPGRADEfeature flag when users are on a non-primary origin
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
src/frontend/src/routes/(new-styling)/(cross-origin)/+layout.svelte |
Adds browser detection for Safari and iOS to conditionally disable iframe embedding for cross-origin authentication |
src/frontend/src/lib/utils/discoverablePasskeyIdentity.ts |
Implements getRpId() function and updates credential creation/request options to support related origin requests by setting the appropriate rpId |
src/frontend/src/lib/state/featureFlags.ts |
Updates GUIDED_UPGRADE flag initialization to automatically enable when page is accessed from a non-primary origin |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
aterga
approved these changes
Jan 26, 2026
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fall back to related origins request in Safari for cross-origin passkeys.
Changes
rpIdif a primary origin (id.ai) is found and the page is currently at another origin to use WebAuthn with a related origins request in Safari.GUIDED_UPGRADEflag if current page isn't currently at the primary origin, this makes sure that desktop Safari and mobile iOS users still get the guided upgrade flow.Tests
Tested with Chrome, Firefox and Safari on desktop (Windows and Mac) and mobile (Android and iOS) with Apple Passwords, Google Passwords, Windows Hello and Bitwarden.