The new `hints` parameter[1] in WebAuthn requests allows sites to provide guidance to browsers to guide their UI. The canonical use case are enterprises which know that their internal sites use only security keys and want to be able to communicate that so that browsers focus the UI on that case. But hints also resolve a tension where the current `authenticatorAttachment` parameter is strict: setting it to `platform` excludes all cross-platform options and vice versa. This has proven less than ideal in some cases. [1] https://w3c.github.io/webauthn/#enum-hints
None: new option which only tweaks UI.
Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications?
No.
Not really. This causes the browser UI to switch emphasis, but doesn't other change any site-observable behaviour.
On Android & Android WebView, support would require changes to other components: the android.credentials code in the framework and, for older Android versions, Play Services. That might come in the future, but it's not part of the Blink and Chrome work. (The Blink change is, of course, required for anything else in the system to be able to handle this parameter.)
Some versions of Windows handle WebAuthn UI themselves and, while Chrome can change it's UI, this parameter won't immediately change the Windows UI. However, Microsoft is positive about this change and Chromium will be updated to pass this parameter on as soon as the Windows API is able to receive it.
Hints only affect the browser UI and unknown parameters are ignored in WebAuthn already.
Shipping on desktop | 128 |
Open questions about a feature may be a source of future web compat or interop issues. Please list open issues (e.g. links to known github issues in the project for the feature specification) whose resolution may introduce web compat/interop risk (e.g., changing to naming or structure of the API in a non-backward-compatible way).
NoneHi Adam,
Could you please request reviews (or N/A, if you have internal approvals) for Privacy, Security, and Enterprise bits in your chromestatus entry?
thx,
Mike
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAL9PXLzcnJ9xLwJZzQJBL0UJdnDGb7tB5Uu7cYqB%2Bdcdb%2BCfTQ%40mail.gmail.com.
(oops, accidentally removed agl@ from To, fixing)
(oops, accidentally removed agl@ from To, fixing)
On 6/4/24 11:35 AM, Mike Taylor wrote:
Hi Adam,
Could you please request reviews (or N/A, if you have internal approvals) for Privacy, Security, and Enterprise bits in your chromestatus entry?
On 6/4/24 9:50 PM, Adam Langley wrote:
On Mon, Jun 3, 2024 at 7:36 PM Mike Taylor <mike...@chromium.org> wrote:
(oops, accidentally removed agl@ from To, fixing)
On 6/4/24 11:35 AM, Mike Taylor wrote:
Hi Adam,
Could you please request reviews (or N/A, if you have internal approvals) for Privacy, Security, and Enterprise bits in your chromestatus entry?
Reviews have been requested for some time now.
Sorry - unsure if this is a chromestatus bug or I am missing something - I see that Privacy, Security, and Enterprise were requested 9 hours ago. Either way - thanks. :)Reviews have been requested for some time now.
Contact emails
a...@chromium.orgSpecification
https://w3c.github.io/webauthn/#enum-hintsSummary
The new `hints` parameter[1] in WebAuthn requests allows sites to provide guidance to browsers to guide their UI. The canonical use case are enterprises which know that their internal sites use only security keys and want to be able to communicate that so that browsers focus the UI on that case. But hints also resolve a tension where the current `authenticatorAttachment` parameter is strict: setting it to `platform` excludes all cross-platform options and vice versa. This has proven less than ideal in some cases. [1] https://w3c.github.io/webauthn/#enum-hints
Blink component
Blink>WebAuthenticationTAG review
NoneTAG review status
Not applicable
Risks
Interoperability and Compatibility
None: new option which only tweaks UI.
Gecko: No signal
WebKit: No objections when asked in person.
--
TAG review status
Not applicable
Can you clarify why that's the case?
Interoperability and Compatibility
None: new option which only tweaks UI.
Gecko: No signal
WebKit: No objections when asked in person.
Can you ask for positions? https://bit.ly/blink-signals
LGTM1
/Daniel
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAL9PXLzHtofcaVHUT9FZfCtqNbsU00%3DxnLRZqA58QcJU%2BcaM5A%40mail.gmail.com.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/f59010fb-4c35-4c9f-85fb-9cf81f9fe7d4%40gmail.com.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOMQ%2Bw9LnqddiFsp5pkWQWAsK4wA6FodjSkgemqYewyic_SVUA%40mail.gmail.com.