Cross-Origin Isolation
Test credential visibility across subdomains. Map the RP ID scope matrix.
Current Context
Step 1: Register Passkeys with Different RP IDs
Register a passkey for each rpId value. This lets us test which registrations are visible from which rpId scopes.
Step 2: RP ID Scope Test
Attempt authentication from this subdomain using each rpId, targeting each registered credential. You will need to interact with or cancel each prompt.
Testing from Other Subdomains
To fully map cross-origin credential visibility, you should also test from other subdomains. The following subdomains are configured and can run their own WebAuthn experiments:
Register a passkey here with rpId="", then visit one of the subdomains above and attempt authentication with the same rpId. If the credential is accessible, it confirms that the parent-domain rpId scope allows cross-subdomain credential sharing.