What are Passkeys?
Passkeys are a modern replacement for passwords, built on the WebAuthn standard, that let users sign in with a cryptographic key bound to their device. They're phishing-resistant, can't be reused across sites, and eliminate entire classes of credential theft attacks that plague password-based authentication.
The catch: passkeys solve authentication, but they don't protect the authenticated session. Once a user has signed in, the application still runs in a browser where untrusted code can do significant damage if it ever gets a foothold.
What's the risk?
If a Cross-Site Scripting (XSS) vulnerability exists anywhere in your application, an attacker doesn't need to steal the passkey — they just need to ride the session the user already opened with it. Injected JavaScript can perform any action the legitimate user can, including transferring funds, exfiltrating sensitive data, or tampering with transactions as they happen.
Worse, injected code can call the WebAuthn API directly. That opens the door to silently registering an attacker-controlled passkey on the victim's account for persistent access, or triggering a fresh publickey-credentials-get ceremony to authorise a malicious action the user didn't intend.
Content Security Policy is a web platform mechanism designed to mitigate cross-site scripting, the top security vulnerability in modern web applications.
- Weichselbaum et al., Google Research
How we can help
Passkeys give your users strong authentication, but the browser-side security of the session they open is up to you. Two browser-native controls close the gap: a strict Content Security Policy that blocks injected JavaScript from running in the first place, and a Permissions Policy that locks publickey-credentials-create and publickey-credentials-get down to (self) so only your own origin can invoke the WebAuthn API.
Report URI helps you deploy both, monitor them in production, and catch violations the moment they happen.
