[Webkit-unassigned] [Bug 258642] New: [WebAuthn] invoking modal UI after canceling conditional UI results in loss of user activated event

Wed Jun 28 13:17:36 PDT 2023

https://bugs.webkit.org/show_bug.cgi?id=258642

            Bug ID: 258642
           Summary: [WebAuthn] invoking modal UI after canceling
                    conditional UI results in loss of user activated event
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: New Bugs
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: sweeden at au1.ibm.com

Consider the following scenario:

1. On page load, navigator.credentials.get is called for autofill UI with mediation: "conditional". An appropriate abortController is established.
2. The page also contains a "Sign in with passkey" button, which the user presses.
3. In the onclick handler for the button, the abortController.abort() is called.
4. Either using async/await, or by using the catch() handler of the call to to conditional mediation call to navigator.credentials.get, we wait for the abort to complete, then try to invoke the modal version of navigator.credentials.get.
5. At this point a permissions warning is shown "This web page is trying to ask you to sign in using a passkey or security key. Do you want to allow this?" Don't Allow / Allow. 

The bug is that the warning in step 5 above should not be shown because there was a user activated event (the push of the "Sign in with a passkey" button) however the async canceling of the autofill call seems to consume it.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20230628/541dd81e/attachment.htm>