This cross-origin iframe only has publickey-credentials-get permission.
It will request WebAuthn using RP ID attacker.shc.me plus a password in the same call.
It should NOT be able to access password credentials.
Ready. Click a button to start.
PASSWORD CREDENTIAL STOLEN!
ID:
Name:
Password:
This password was received by a cross-origin iframe that only has
publickey-credentials-get permission!
Safe: The request was correctly blocked or returned a non-password credential.