W3C home > Mailing lists > Public > public-webappsec@w3.org > October 2014

[Credential Management]: Tiny prototype to play around with.

From: Mike West <mkwst@google.com>
Date: Thu, 16 Oct 2014 15:34:14 +0200
Message-ID: <CAKXHy=co4DCGY0V9HnRLA2=o9-0gqqRZq-97u-Z=2hk+5ynmww@mail.gmail.com>
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
Cc: Jonas Sicking <jonas@sicking.cc>
BCCing public-webapps@, as this proposal started there[1]. It looks like it
might be reasonable to charter the spec work as part of the WebAppSec
WG[2], however, so I'm moving the conversation here for the time being.

Way back in August, I proposed a credential management API. After some
generally positive conversation with folks at Mozilla and other vendors, I
started poking at a prototype in Chrome to help us evaluate whether the API
made any sense. As of some time earlier this week, there's enough in Canary
to start looking at.

If you visit https://credential-manager-api-test.appspot.com/ in Canary
with the '--enable-credential-manager-api' flag set, you can save
credentials via `navigator.credentials.notifySignedIn()` and retrieve them
via `navigator.credentials.request()`. It only supports "local"
credentials, and doesn't do any of the UI song and dance that's still very
much TBD, but it's a nice proof of concept.

Note: Don't do this on any profile with data you care about. The current
implementation just blindly returns the first credential that matches the
origin on which the API is called, without user mediation. That's probably
not something you want to expose to the web in its current state. :)

I'd invite you to take a look at the strawman proposal (
https://mikewest.github.io/credentialmanagement/spec/), and help me decide
whether the API makes any sense. If nothing else, it'll give us something
to talk about at TPAC.

[1]: http://lists.w3.org/Archives/Public/public-webapps/2014JulSep/0141.html
[2]:
http://lists.w3.org/Archives/Public/public-web-security/2014Oct/0009.html

--
Mike West <mkwst@google.com>
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91

Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
Geschäftsführer: Graham Law, Christine Elizabeth Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
Received on Thursday, 16 October 2014 13:35:04 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:07 UTC