[Webkit-unassigned] [Bug 230893] Present non-modal dialog to present Webauthn panel without user gesture upon credentials.get/create calls
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu Oct 28 10:39:01 PDT 2021
https://bugs.webkit.org/show_bug.cgi?id=230893
--- Comment #14 from j_pascoe at apple.com <j_pascoe at apple.com> ---
User presence in the context of WebAuthn is defined as "A test of user presence is a simple form of authorization gesture and technical process where a user interacts with an authenticator by (typically) simply touching it (other modalities may also exist), yielding a Boolean result." with an authorization gesture defined as "a physical interaction performed by a user with an authenticator as part of a ceremony, such as registration or authentication. By making such an authorization gesture, a user provides consent for (i.e., authorizes) a ceremony to proceed."
So the case of a user passively present would not count. In the platform authenticator case with Face ID for example, a dialog is presented asking if it's okay for the website to use Face ID, hitting yes here is the test of user presence.
This bug refers to changing the behavior of what is required to present that dialog asking if its okay in the first place as its modal on iOS for example and if a site was able to spam it, they would not be able to change tabs or otherwise exit the website. Currently, we require a user gesture on the call to navigator.credentials.create() or navigator.credentials.get() as a way to prevent this. Unfortunately, few rps perform their call to navigator.credentials.create() or navigator.credentials.get() with a user gesture, leading to WebAuthn not working at all in most cases.
As a compromise, currently we allow one free use of navigator.credentials.create() or navigator.credentials.get() without an user gesture to present the Webauthn panel if the request comes from a short list of popular websites (Dropbox, Microsoft, Google, Twitter, or Facebook.)
This bug is to change the current behavior to give all sites one freebie use of navigator.credentials.create() or navigator.credentials.get() to present the modal ui without an user gesture. Then if another call is made without a gesture, the user will be required to hit allow on a non-modal, pre-dialog to the current dialogs asking the user if they want to use WebAuthn.
Also, of note is that there is rumblings of adding non-modal ui for Webauthn to the spec in level 3 here: https://github.com/w3c/webauthn/issues/1545
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20211028/43afea3d/attachment.htm>
More information about the webkit-unassigned
mailing list