Intent to Prototype: WebAuthn remoteClientDataJSON Extension

127 views

Skip to first unread message

Chromestatus

unread,

Apr 24, 2026, 1:06:22 PMApr 24

to blin...@chromium.org, Zachar...@microsoft.com, jam...@microsoft.com, ti...@micrsosoft.com

Contact emails

jam...@microsoft.com, Zachar...@microsoft.com, ti...@micrsosoft.com

Explainer

https://github.com/bobomb/MSEdgeExplainers/blob/9838480febdc51033b46e2d9d7a9d1813df890f1/WebAuthnRemoteClientDataJSON/explainer.md

Specification

https://github.com/w3c/webauthn/pull/2375

Summary

Allows a caller to provide a complete clientDataJSON string for a WebAuthn ceremony, which the browser passes through to the authenticator without modification. This enables remote desktop web clients to forward WebAuthn requests with the exact clientDataJSON from the remote host, preventing signature verification failures caused by differences between the browser-constructed and host-provided clientDataJSON.

Blink component

Blink>WebAuthentication

Web Feature ID

webauthn

Motivation

The remoteClientDataJSON extension for the Web Authentication API allows a caller to provide a complete clientDataJSON string for a WebAuthn ceremony, which the browser passes through to the authenticator without modification. This enables remote desktop web clients to forward WebAuthn requests with the exact clientDataJSON from the remote host, preventing signature verification failures caused by differences between the browser-constructed and host-provided clientDataJSON.

Initial public proposal

https://github.com/w3c/webauthn/pull/2375

Goals for experimentation

None

Requires code in //chrome?

True

Tracking bug

https://issues.chromium.org/issues/506062130

Estimated milestones

No milestones specified

Link to entry on the Chrome Platform Status

https://chromestatus.com/feature/5127601250238464?gate=6194074211188736

This intent message was generated by Chrome Platform Status.

Ari Chivukula

unread,

11:56 AM (2 hours ago) 11:56 AM

to Chromestatus, blink-dev, Zachar...@microsoft.com, jam...@microsoft.com, ti...@micrsosoft.com

In the explainer, the default for the new permissions policy is 'none', however I don't believe this is currently supported in the codebase except as a speculative prototype: https://source.chromium.org/chromium/chromium/src/+/main:services/network/public/cpp/permissions_policy/permissions_policy_features.h;drc=5e79508c687fc220ac05fb45dfc582ae69ebfb42;l=41

Implementing it would require its own launch and spec change. It might be worth seeking feedback specifically on that point from chrome-privac...@google.com on the early side (before pursuing experiment or launch).

~ Ari Chivukula (Their/There/They're)

--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/69eba302.710a0220.18de8c.0119.GAE%40google.com.

Reply all

Reply to author

Forward

0 new messages