[Webkit-unassigned] [Bug 239275] New: Safari freezes on WebAuthn navigator.credentials.get() when users interacts with security key not in allowCredentials
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Tue Apr 12 22:00:50 PDT 2022
https://bugs.webkit.org/show_bug.cgi?id=239275
Bug ID: 239275
Summary: Safari freezes on WebAuthn navigator.credentials.get()
when users interacts with security key not in
allowCredentials
Product: WebKit
Version: Safari 15
Hardware: Mac (Apple Silicon)
OS: macOS 12
Status: NEW
Severity: Normal
Priority: P2
Component: WebKit Misc.
Assignee: webkit-unassigned at lists.webkit.org
Reporter: matthew at millerti.me
Created attachment 457507
--> https://bugs.webkit.org/attachment.cgi?id=457507&action=review
Video reproducing the issue
Safari Version 15.4 (17613.1.17.1.13) on macOS 12.3.1 enters a "disabled" state when `navigator.credentials.get()` is called with a security key credential (i.e. transports are set to "usb" and "nfc") in `allowCredentials`, but then the user interacts with a security key that does not match the credential.
By "disabled" state I mean the window becomes almost completely unresponsive to left clicks, and right clicks bring up context menus with all options disabled. Additionally the red close button on the windows's "stoplights" turns grey and cannot be used to close the window. At this point the only way to close the window is to Force Quit out of Safari.
See attached video for a demonstration, and screenshot for proof of Safari version.
## Reproduction:
The issue can be reproduced with the following HTML + JavaScript hosted at http://localhost:
```
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Safari Bug Repro - WebAuthn Authentication Browser Crash</title>
</head>
<body>
<h1>
Safari Bug Repro - WebAuthn Authentication Browser Crash
</h1>
<button id="startAuth">Authenticate</button>
<h2>Context</h2>
<p>
A single credential with a random ID has been set to <strong>allowCredentials</strong> with
security key transports <strong>"usb"</strong> and <strong>"nfc"</strong>.
</p>
<h2>Reproduction Steps</h2>
<ol>
<li>
Click the <strong>Authenticate</strong> button above to call navigator.credentials.get().
</li>
<li>
Select <strong>Security Key</strong> from the WebAuthn browser modal.
</li>
<li>
Interact with any available security key.
</li>
<li>
Observe the browser becomes unresponsive to almost all input, and the close button in the
upper-left enters a disabled state.
</li>
</ol>
<script>
document.getElementById('startAuth').addEventListener('click', async (event) => {
event.preventDefault();
try {
console.log('Calling navigator.credentials.get()');
const res = await navigator.credentials.get({
publicKey: {
rpId: 'localhost',
allowCredentials: [
{ id: new Uint8Array(32).fill(1), type: "public-key", transports: ["usb", "nfc"] }
],
challenge: new Uint8Array(32).fill(1),
},
});
console.log('Response:', res);
} catch (err) {
alert(err);
}
});
</script>
</body>
</html>
```
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20220413/fd102700/attachment.htm>
More information about the webkit-unassigned
mailing list