Re: WebAuthn WebIDL Questions from Adam Powers on 2016-10-30 (public-webauthn@w3.org from October 2016)

From: Adam Powers <adam@fidoalliance.org>
Date: Sun, 30 Oct 2016 14:35:32 -0700
To: "Hodges, Jeff" <jeff.hodges@paypal.com>
Cc: W3C WebAuthn WG <public-webauthn@w3.org>
Message-ID: <CACu+4csRBa2cJAHHfOqTZvA7E6RHOO-g6FkTGiBnVCpGcEB5fQ@mail.gmail.com>

What sent me down the path of asking these questions is that the idlharness
expects every interface to be declared as global unless it is declared with
the [NoInterfaceObject] extended attribute. So the way our interfaces are
defined now it seems like we would end up with window.WebAuthentication,
window.ScopedCredentialInfo, etc.
https://github.com/w3c/testharness.js/blob/873f9680aff66553f84d38f21a038c4534cc2789/idlharness.js#L759-L768

Which is consistent with the specification:
https://heycam.github.io/webidl/#es-interfaces

I think that implies that users could call new WebAuthentication(), new
ScopedCredentialInfo(), etc. Is that the intent?

On October 30, 2016 at 11:37:28 AM, Hodges, Jeff (jeff.hodges@paypal.com)
wrote:

On 10/29/16, 6:04 PM, "Adam Powers" <adam@fidoalliance.org> wrote:
>Hey guys, I¹m not a WebIDL expert but as I¹m reading through our WebIDL
>to create tests I have a few questions:
>
>1. I¹m assuming that the members of ScopedCredentialOptions and
>AssertionOptions should be nullable types, similar to the example in
>WebIDL 2.2: https://heycam.github.io/webidl/#issue-4d2fc4e6 , right?

Well, all of those two dictionaries' members are optional since they are
not declared "required", AFAIU. Rather than pass members with NULL values,
the caller can just not include such members (?)

>2. According to WebIDL 3.6 interfaces without [NoInterfaceObject] must
>show up on the global `window` object:
>https://heycam.github.io/webidl/#es-interfaces . Do we want to declare
>the WebAuthentication interface with [NoInterfaceObject], since it is
>behaving
>as a singleton? Note that this is how the geolocation and indexeddb
>interfaces are defined.

Hixie says that the above suggestion or the way we are presently declaring
the interface are equivalent -- and his answer is specifically in regard
to the geolocation API..

https://lists.w3.org/Archives/Public/public-script-coord/2014JanMar/0161.ht
ml

however, see also http://darobin.github.io/api-design-cookbook/ wherin the
use of [NoInterfaceObject] is deprecated.

>3. Should [SecureContext] only apply to interfaces with operations and /
>or operations themselves (see the note in Secure Contexts Section 2.1:
>https://www.w3.org/TR/secure-contexts/#integration-idl )?

Mike West said to use [SecureContext] on all webauthn interface
declarations..

https://github.com/w3c/webauthn/issues/146

>4. Why are ScopedCredentialInfo, WebAuthnAssertion, WebAuthnAttestation,
>and ScopedCredential interfaces instead of dictionaries?

from Vijay a while back..

According to the Web IDL spec, dictionaries are passed by
value while interfaces represent objects and are therefore
essentially references. The attestation structures are defined
as dictionaries - it would seem more natural and performant
to have them defined as interfaces instead.

In general, style guides such as
http://darobin.github.io/api-design-cookbook/ tend to recommend
the use of dictionaries when one is defining property bags to
serve as input parameters to methods, and interfaces when one
is defining return values.

additionally, interface attributes cannot themselves be dictionaries..

https://heycam.github.io/webidl/#dfn-attribute

HTH,

=JeffH

Received on Sunday, 30 October 2016 21:36:06 UTC