Acme Inc. — Latest news
A boring marketing page. No login. No account. No passkey functionality. Nothing here should ever invoke WebAuthn.
But a third-party analytics tag has been compromised and is now attempting to register a passkey on your account whenever you interact with the page. Click any of these innocuous-looking buttons to see what happens:
navigator.credentials.create() rejects with
NotAllowedError before any prompt can be shown — the document is not
in the API's allowlist. The analytics tag is still loaded and running; it just cannot
reach the WebAuthn API. Each attempt fires a Permissions-Policy violation report to
Report URI.
publickey-credentials-create=(), publickey-credentials-get=()
The directive publickey-credentials-create=() sets the allowlist to empty
— no origin, including the page itself, may use the API. The browser enforces this
before any JavaScript runs, so there's no race to win, no prompt that briefly flickers.
Calls to the API throw immediately and the violation is reported.
Defence-in-depth pattern: for any page that does not legitimately need
WebAuthn (homepage, content pages, admin dashboards that don't enroll passkeys),
disable both directives. Your login and account-settings pages keep
=(self). A compromised script on the locked-down pages cannot pop a
passkey prompt regardless of how it got there.
Activity log
Real-time trace of what the analytics tag tried to do, and how the browser responded.