[Webkit-unassigned] [Bug 258642] New: [WebAuthn] invoking modal UI after canceling conditional UI results in loss of user activated event
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Wed Jun 28 13:17:36 PDT 2023
https://bugs.webkit.org/show_bug.cgi?id=258642
Bug ID: 258642
Summary: [WebAuthn] invoking modal UI after canceling
conditional UI results in loss of user activated event
Product: WebKit
Version: WebKit Nightly Build
Hardware: Unspecified
OS: Unspecified
Status: NEW
Severity: Normal
Priority: P2
Component: New Bugs
Assignee: webkit-unassigned at lists.webkit.org
Reporter: sweeden at au1.ibm.com
Consider the following scenario:
1. On page load, navigator.credentials.get is called for autofill UI with mediation: "conditional". An appropriate abortController is established.
2. The page also contains a "Sign in with passkey" button, which the user presses.
3. In the onclick handler for the button, the abortController.abort() is called.
4. Either using async/await, or by using the catch() handler of the call to to conditional mediation call to navigator.credentials.get, we wait for the abort to complete, then try to invoke the modal version of navigator.credentials.get.
5. At this point a permissions warning is shown "This web page is trying to ask you to sign in using a passkey or security key. Do you want to allow this?" Don't Allow / Allow.
The bug is that the warning in step 5 above should not be shown because there was a user activated event (the push of the "Sign in with a passkey" button) however the async canceling of the autofill call seems to consume it.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20230628/541dd81e/attachment.htm>
More information about the webkit-unassigned
mailing list