Allow IWAs to call WebAuthn [chromium/src : main]
Olga Korokhina (Gerrit)
Olga Korokhina voted and added 4 comments![]( "Open in Gerrit")
Votes added by Olga Korokhina
| Commit-Queue | +1 |
4 comments
Allow IWAs to call navigator.credentials methodsOlga Korokhina```suggestion
Allow IWAs to call WebAuthn
```
Changed, thank you.
Change adds IWA schema for allowed to proceed with WebAuthn VDI flow calls, introduces dedicated flag feature::kWebAuthnIWARemoteDesktopAllowedOriginsPolicy, check if IWA caller origin listed in webauthn::pref_names::kRemoteDesktopAllowedOrigins happens in existing code.Olga Korokhina```suggestion
This exposes the WebAuthn API to calls from IWA origins. IWAs by default won't be able to claim any RP IDs, unless they're using the remoteDestkopClientOverride extension to act on behalf of another web origin. Access to this extension must be enabled for individual IWA origins via the webauthn.remote_desktop_allowed_origins enterprise policy.Flag guarded by the device::kWebAuthnIWARemoteDesktopAllowedOriginsPolicy feature flag.
```
Changed as you proposed but I am a bit concerned about policy naming, wouldn't it be better to use 'WebAuthenticationRemoteDesktopAllowedOrigins' instead of 'webauthn.remote_desktop_allowed_origins'?
Enabled-by-default-reason: WebAuthn for IWAs should be enabled
from the boxOlga Korokhina```suggestion
Enabled-by-default-reason: Killswitch
```
Changed, thank you
Fuchsia-Binary-Size: Adds ~16KB uncompressed to support WebAuthn for Isolated Web Apps, which is enabled by default.Olga KorokhinaI find it unlikely that this change is really adding that much to the Fuchsia binary. Try removing this please.
Let's try, I added it here because of AI suggestion, probably no longer relevant indeed.
Related details
- Martin Kreichgauer
Code-Coverage
Code-Owners
Code-Review
No-Unresolved-Comments
Review-Enforcement
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |