Re: Technical Review of WebAppSec Credential Management API [2/3] (was Re: Overlap with Credentials/Web Payments CG)

@jeffery Tests 8 and 9 here fail with LastPass:
password-generation-test-cases.herokuapp.com

These are visible in a fair few apps that use AJAX for auth, in fact
LastPass integration advises against using AJAX for this reason I suspect.
Allowing apps like LastPass to extend or override the store requests will
allow this to be seamless to login rather than sometimes delayed or a
little jankier than native experiences.

On 14 April 2015 at 16:21, Jeffrey Yasskin <jyasskin@google.com> wrote:

> On Mon, Apr 13, 2015 at 10:20 PM, Manu Sporny <msporny@digitalbazaar.com>
> wrote:
>>
>> > * Not having the ability to sync credentials between different
>> > browsers removes features that people depend on from today's
>> > managers (like LastPass) that allow you to do this. This makes the
>> > proposed solution worse than the current solution.
>>
>> Applications like LastPass use a server-side component to enable you to
>> sync credentials between different browser brands. I don't see anything
>> like this in the current spec. Worse, it looks like the current spec is
>> going to put companies like LastPass out of business (if the spec
>> doesn't allow them to inject navigator.credentials).
>>
>> Does the spec provide a suggestion on allowing browser extensions to
>> override navigator.credentials? If it does, are the security
>> ramifications of doing so detailed anywhere? If it doesn't, isn't it
>> making the state of the art worse by removing the ability to share
>> credentials across multiple browser brands?
>>
>
> Are you familiar with the way LastPass currently integrates with Chrome to
> act as a password manager? I believe the technique it currently uses will
> work at least as well when there's just one Javascript API through which
> all passwords pass. If you think it doesn't work, can you point out the
> exact place it breaks down?
>
> Jeffrey
>