Groups keyboard shortcuts have been updated
Dismiss
See shortcuts

Intent to Ship: Web Authentication API: PublicKeyCredential’s getClientCapabilities() method

318 views
Skip to first unread message

Andrii Natiahlyi

unread,
Nov 14, 2024, 9:41:44 AM11/14/24
to blin...@chromium.org, Adam Langley

Contact emails

nati...@google.coma...@google.com

Explainer

None

Specification

https://w3c.github.io/webauthn/#sctn-getClientCapabilities

Summary

getClientCapabilities() method allows to determine which WebAuthn features are supported by the user's client. The method returns a list of supported capabilities, allowing developers to tailor authentication experiences and workflows based on the client's specific functionality.



Blink component

Blink>WebAuthentication

TAG review

None

TAG review status

Not applicable

Risks



Interoperability and Compatibility

None



Gecko: No signal

WebKit: Shipped/Shipping (https://developer.apple.com/documentation/safari-release-notes/safari-17_4-release-notes#WebAuthn)

Web developers: No signals

Other signals:

WebView application risks

Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications?

None



Debuggability

None



Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, ChromeOS, Android, and Android WebView)?

Yes

Is this feature fully tested by web-platform-tests?

Yes

https://wpt.fyi/results/webauthn/getclientcapabilities.https.html



DevTrial instructions

https://docs.google.com/document/d/e/2PACX-1vR3yUwIFZ0LbKpJ6J4GBamP-IrBgkal3arJ_CZLbRZwBDhFTZpdpVYMsPuvB6Mjnl0heE-6r9wE7Sfw/pub

Flag name on about://flags

enable-experimental-web-platform-features

Finch feature name

WebAuthenticationClientCapabilities

Requires code in //chrome?

False

Tracking bug

https://g-issues.chromium.org/issues/360327828

Availability expectation

Safari has shipped an implementation already.

Estimated milestones

Shipping on desktop133
DevTrial on desktop131
Shipping on Android133
DevTrial on Android131
Shipping on WebView133


Anticipated spec changes

Open questions about a feature may be a source of future web compat or interop issues. Please list open issues (e.g. links to known github issues in the project for the feature specification) whose resolution may introduce web compat/interop risk (e.g., changing to naming or structure of the API in a non-backward-compatible way).

None

Link to entry on the Chrome Platform Status

https://chromestatus.com/feature/5128205875544064?gate=5206408640069632

Links to previous Intent discussions

Intent to Prototype: https://groups.google.com/a/chromium.org/g/blink-dev/c/Wb8VjXe_zT8
Ready for Trial: https://groups.google.com/a/chromium.org/g/blink-dev/c/YTkGIdlQMAw


This intent message was generated by Chrome Platform Status.

--

Andrii Natiahlyi

Software Engineer

nati...@google.com


Google Germany GmbH

Erika-Mann-Straße 33

80636 München


Geschäftsführer: Paul Manicle, Liana Sebastian

Registergericht und -nummer: Hamburg, HRB 86891

Sitz der Gesellschaft: Hamburg

Mike Taylor

unread,
Nov 18, 2024, 1:44:06 PM11/18/24
to Andrii Natiahlyi, blin...@chromium.org, Adam Langley

On 11/14/24 9:39 AM, 'Andrii Natiahlyi' via blink-dev wrote:

Contact emails

nati...@google.coma...@google.com

Explainer

None

Specification

https://w3c.github.io/webauthn/#sctn-getClientCapabilities

Summary

getClientCapabilities() method allows to determine which WebAuthn features are supported by the user's client. The method returns a list of supported capabilities, allowing developers to tailor authentication experiences and workflows based on the client's specific functionality.



Blink component

Blink>WebAuthentication

TAG review

None
It may be useful to send a non-blocking/FYI review here, since this is a flavor of feature detection.


TAG review status

Not applicable

Risks



Interoperability and Compatibility

None



Gecko: No signal
Can we ask for one?


WebKit: Shipped/Shipping (https://developer.apple.com/documentation/safari-release-notes/safari-17_4-release-notes#WebAuthn)

Web developers: No signals

Other signals:

WebView application risks

Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications?

None



Debuggability

None

This should probably be N/A - DevTools doesn't need anything special here.



Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, ChromeOS, Android, and Android WebView)?

Yes

Is this feature fully tested by web-platform-tests?

Yes

https://wpt.fyi/results/webauthn/getclientcapabilities.https.html

Given that any capability can be omitted, do we expect {} to be conforming, however unlikely (I think yes?)?
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAMrd0vy9wGn_fEQ4e9mX87cgz_jReJw7zOhbTrDweKARCUwyRw%40mail.gmail.com.

Andrii Natiahlyi

unread,
Nov 19, 2024, 12:24:50 PM11/19/24
to Mike Taylor, blin...@chromium.org, Adam Langley
Hello Mike,

Thank you for your feedback.


> Given that any capability can be omitted, do we expect {} to be conforming, however unlikely (I think yes?)?
And yes, you're correct. Even though it's unlikely, we do expect an empty set `{}` to be conforming.

Best,
Andrii

Alex Russell

unread,
Nov 20, 2024, 12:14:40 PM11/20/24
to blink-dev, Andrii Natiahlyi, blin...@chromium.org, Adam Langley, Mike Taylor
Is there additional fingerprinting risk here? I'm happy to see this move forward even if there is, but we should call it out.

On Tuesday, November 19, 2024 at 9:24:50 AM UTC-8 Andrii Natiahlyi wrote:
Hello Mike,

Thank you for your feedback.


> Given that any capability can be omitted, do we expect {} to be conforming, however unlikely (I think yes?)?
And yes, you're correct. Even though it's unlikely, we do expect an empty set `{}` to be conforming.

Best,
Andrii


On Mon, Nov 18, 2024 at 7:43 PM Mike Taylor <mike...@chromium.org> wrote:

On 11/14/24 9:39 AM, 'Andrii Natiahlyi' via blink-dev wrote:

To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscribe@chromium.org.

Andrii Natiahlyi

unread,
Nov 20, 2024, 1:14:59 PM11/20/24
to Alex Russell, blink-dev, Adam Langley, Mike Taylor
> Is there additional fingerprinting risk here? I'm happy to see this move forward even if there is, but we should call it out.

The current set of capabilities does not pose such a risk (privacy review). However, if any new capabilities will be added to the method that do pose a fingerprinting risk, they should undergo a blink-dev / privacy review.
Also, probably it is worth to highlight the discussions about fingerprinting vectors that happened here: https://github.com/w3c/webauthn/pull/1923

On Wed, Nov 20, 2024 at 6:14 PM Alex Russell <sligh...@chromium.org> wrote:
Is there additional fingerprinting risk here? I'm happy to see this move forward even if there is, but we should call it out.

On Tuesday, November 19, 2024 at 9:24:50 AM UTC-8 Andrii Natiahlyi wrote:
Hello Mike,

Thank you for your feedback.


> Given that any capability can be omitted, do we expect {} to be conforming, however unlikely (I think yes?)?
And yes, you're correct. Even though it's unlikely, we do expect an empty set `{}` to be conforming.

Best,
Andrii


On Mon, Nov 18, 2024 at 7:43 PM Mike Taylor <mike...@chromium.org> wrote:

On 11/14/24 9:39 AM, 'Andrii Natiahlyi' via blink-dev wrote:

To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.

Mike Taylor

unread,
Nov 22, 2024, 3:35:48 PM11/22/24
to Andrii Natiahlyi, Alex Russell, blink-dev, Adam Langley

Thanks Andrii - I see that Mozilla is positive on the feature now, thanks for requesting the review.

And to Alex's request to call out FP risk - the spec does acknowledge it, and allow UAs to limit what it returns.

LGTM1

Chris Harrelson

unread,
Nov 27, 2024, 10:59:40 AM11/27/24
to Mike Taylor, Andrii Natiahlyi, Alex Russell, blink-dev, Adam Langley

Vladimir Levin

unread,
Dec 3, 2024, 8:19:03 PM12/3/24
to Chris Harrelson, Mike Taylor, Andrii Natiahlyi, Alex Russell, blink-dev, Adam Langley

Tom Jones

unread,
Dec 15, 2024, 12:23:35 AM12/15/24
to Alex Russell, blink-dev, Andrii Natiahlyi, Adam Langley, Mike Taylor
I worry about fingerprinting as well and would like to see it called out specifically.

thx ..Tom (mobile)

On Wed, Nov 20, 2024, 9:14 AM Alex Russell <sligh...@chromium.org> wrote:
Is there additional fingerprinting risk here? I'm happy to see this move forward even if there is, but we should call it out.

On Tuesday, November 19, 2024 at 9:24:50 AM UTC-8 Andrii Natiahlyi wrote:
Hello Mike,

Thank you for your feedback.


> Given that any capability can be omitted, do we expect {} to be conforming, however unlikely (I think yes?)?
And yes, you're correct. Even though it's unlikely, we do expect an empty set `{}` to be conforming.

Best,
Andrii


On Mon, Nov 18, 2024 at 7:43 PM Mike Taylor <mike...@chromium.org> wrote:

On 11/14/24 9:39 AM, 'Andrii Natiahlyi' via blink-dev wrote:

To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.

--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/27406fd9-34a7-48a9-adcc-4f8681a46a17n%40chromium.org.

Mike Taylor

unread,
Dec 15, 2024, 10:02:12 AM12/15/24
to pe...@acm.org, Alex Russell, blink-dev, Andrii Natiahlyi, Adam Langley

If you're looking for something beyond what's already in https://w3c.github.io/webauthn/#sctn-disclosing-client-capabilities - please file an issue against the draft.

Reply all
Reply to author
Forward
0 new messages