[Webkit-unassigned] [Bug 232977] _WKWebAuthenticationPanel should expose a way to encode CTAP commands
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Mon Nov 15 17:24:38 PST 2021
https://bugs.webkit.org/show_bug.cgi?id=232977
--- Comment #13 from Garrett Davidson <garrett_davidson at apple.com> ---
(In reply to j_pascoe at apple.com from comment #12)
> We already made _WKWebAuthenticationPanel start using
> AuthenticatorCoordinator::produceClientDataJson internally in
> https://trac.webkit.org/changeset/285617/webkit as using a different
> implementation broke WebAuthn due to the signature not matching the client
> data json returned.
I didn't realize that. Neat!
> The complete ClientDataJson is only needed for returning via the api, which
> is already done in AuthenticatorCoordinator.cpp:238. Everywhere else,
> ClientDataHash can be passed around. The authenticator does not need this
> value, noted here:
> https://www.w3.org/TR/webauthn-3/#iface-authenticatorresponse
>
> To complete same-site i-frames, we are going to have to add a crossOrigin
> flag to ClientDataJson, which is complicated by _WKWebAuthenticationPanel
> also having an SPI to calculate ClientDataJson, so we're going to have to
> end up removing it and likely changing these new SPIs.
Pascoe and I discussed this out of band. We're still thinking about the best way to reduce duplicated work for all of the intended clients here.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20211116/244494c4/attachment.htm>
More information about the webkit-unassigned
mailing list