Note: cross-origin iframes are forbidden in Web Authentication, so this should fail.