[Webkit-unassigned] [Bug 230893] Remove the user gesture requirement for using the platform authenticator on the web
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu Oct 28 10:07:23 PDT 2021
https://bugs.webkit.org/show_bug.cgi?id=230893
--- Comment #13 from John Wilander <wilander at apple.com> ---
(In reply to j_pascoe at apple.com from comment #12)
> Credentials can never be used without a user gesture (up=0, without user
> presence). This is for presenting the modal dialog where you can chose to
> select a key / insert an authenticator, after a given credential is chosen,
> there is still a test of user presence. Currently we require a user gesture
> to present this dialog, but you get a free try without it if you are
> Dropbox, Microsoft, Google, Twitter, or Facebook.
>
> The worry is about websites spamming modal dialogs to prevent users from
> changing tabs, etc. Unfortunately there's no pre-existing case of a
> webkit-only non-modal dialog for MacOS that I can find (even mini browser
> stuff uses NSAlert.)
Thanks! Please rename the bug to make it clear in which context the user gesture requirement will be relaxed.
Regarding user presence. We need to make that clear too. A user can be present but passively so, right? I want to avoid drive-by redirects that can pick up credentials. We already have that problem with cookies which is a multi-year project to rein in.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20211028/7596f12d/attachment.htm>
More information about the webkit-unassigned
mailing list