---
url: 'https://www.corbado.com/faq/cross-origin-iframe-passkey-challenges'
title: 'What are challenges for passkeys in cross-origin iframes?'
description: 'Discover key challenges when using passkeys in cross-origin iframes, including browser compatibility, security policies, and Safari limitations.
'
lang: 'en'
keywords: 'cross-origin iframe, iframe permission policy, Safari iframe issue, iframe security'
---

# What are challenges for passkeys in cross-origin iframes?

## What are the main challenges when trying to use passkeys in a cross-origin iframe?

Implementing passkeys within [cross-origin](https://www.corbado.com/blog/iframe-passkeys-webauthn)
[iframes](https://www.corbado.com/blog/iframe-passkeys-webauthn) can significantly enhance user experience and
security, but there are several common challenges developers frequently encounter:

### 1. Browser Compatibility

- Not all browsers uniformly support WebAuthn features in
  [cross-origin](https://www.corbado.com/blog/iframe-passkeys-webauthn)
  [iframes](https://www.corbado.com/blog/iframe-passkeys-webauthn). As of now, Chrome and Firefox have
  implemented both [passkey creation](https://www.corbado.com/blog/passkey-creation-best-practices) and
  authentication, while Safari supports only authentication.
- This inconsistent support demands thorough cross-browser testing and potentially
  browser-specific solutions.

### 2. Permission Policy Configuration

- Misconfigured HTTP `Permissions-Policy` headers or missing `allow` attributes in the
  [iframe](https://www.corbado.com/blog/iframe-passkeys-webauthn) can block
  [passkey creation](https://www.corbado.com/blog/passkey-creation-best-practices) or login functionalities.
- Developers must explicitly enable permissions using:
    ```html
    <iframe
        src="https://example.com"
        allow="publickey-credentials-get; publickey-credentials-create"
    ></iframe>
    ```

Additionally, HTTP headers must align with [iframe](https://www.corbado.com/blog/iframe-passkeys-webauthn)
permissions to ensure correct delegation.

### 3. Safari-Specific Limitations

Safari currently doesn't allow [passkey creation](https://www.corbado.com/blog/passkey-creation-best-practices)
within [cross-origin](https://www.corbado.com/blog/iframe-passkeys-webauthn)
[iframes](https://www.corbado.com/blog/iframe-passkeys-webauthn), returning errors like:

```
NotAllowedError - The origin of the document is not the same as its ancestors.
```

There's no immediate workaround; developers must use alternative methods like redirects or
pop-up flows for Safari users.

### 4. Native App WebView Constraints

Native apps embedding [WebViews](https://www.corbado.com/blog/native-app-passkeys) often face additional
restrictions since [WebViews](https://www.corbado.com/blog/native-app-passkeys) typically support only
first-party passkeys (same domain as the app).

For third-party scenarios (like [payments](https://www.corbado.com/passkeys-for-payment)), developers must switch
from embedded [WebViews](https://www.corbado.com/blog/native-app-passkeys) to system WebViews (e.g.,
[ASWebAuthenticationSession](https://www.corbado.com/blog/native-app-passkeys) on [iOS](https://www.corbado.com/blog/webauthn-errors) or
Custom Tabs on [Android](https://www.corbado.com/blog/how-to-enable-passkeys-android)), ensuring proper passkey
functionality across domains.

By addressing these challenges, developers can successfully implement seamless, secure,
and robust passkey integrations within cross-origin
[iframe](https://www.corbado.com/blog/iframe-passkeys-webauthn) contexts.

## Read the full blog post