[Webkit-unassigned] [Bug 232977] _WKWebAuthenticationPanel should expose a way to encode CTAP commands

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Mon Nov 15 17:24:38 PST 2021


--- Comment #13 from Garrett Davidson <garrett_davidson at apple.com> ---
(In reply to j_pascoe at apple.com from comment #12)

> We already made _WKWebAuthenticationPanel start using
> AuthenticatorCoordinator::produceClientDataJson internally in
> https://trac.webkit.org/changeset/285617/webkit as using a different
> implementation broke WebAuthn due to the signature not matching the client
> data json returned.

I didn't realize that. Neat!

> The complete ClientDataJson is only needed for returning via the api, which
> is already done in AuthenticatorCoordinator.cpp:238. Everywhere else,
> ClientDataHash can be passed around. The authenticator does not need this
> value, noted here:
> https://www.w3.org/TR/webauthn-3/#iface-authenticatorresponse
> To complete same-site i-frames, we are going to have to add a crossOrigin
> flag to ClientDataJson, which is complicated by _WKWebAuthenticationPanel
> also having an SPI to calculate ClientDataJson, so we're going to have to
> end up removing it and likely changing these new SPIs.

Pascoe and I discussed this out of band. We're still thinking about the best way to reduce duplicated work for all of the intended clients here.

You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20211116/244494c4/attachment.htm>

More information about the webkit-unassigned mailing list