Re: Technical Review of WebAppSec Credential Management API [2/3] (was Re: Overlap with Credentials/Web Payments CG) from Jeffrey Yasskin on 2015-04-15 (public-webappsec@w3.org from April 2015)

From: Jeffrey Yasskin <jyasskin@google.com>
Date: Tue, 14 Apr 2015 18:52:04 -0700
To: Jonathan Kingston <jonathan@jooped.com>
Cc: Manu Sporny <msporny@digitalbazaar.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CANh-dX==mhaBi_rto9gVpZAbhxGAQdE04GvVw4ePYWx2mYaELw@mail.gmail.com>

On Tue, Apr 14, 2015 at 5:13 PM, Jonathan Kingston <jonathan@jooped.com>
wrote:

> @jeffery Tests 8 and 9 here fail with LastPass:
> password-generation-test-cases.herokuapp.com
>
> These are visible in a fair few apps that use AJAX for auth, in fact
> LastPass integration advises against using AJAX for this reason I suspect.
> Allowing apps like LastPass to extend or override the store requests will
> allow this to be seamless to login rather than sometimes delayed or a
> little jankier than native experiences.
>

Thanks. I might rephrase this as saying that LastPass takes advantage of
the standardized <form> interface in order to intercept and store password
submissions. Because AJAX login techniques are not currently standardized,
LastPass often can't find the right Javascript names to interpose. With
Mike's proposal of a common Javascript interface, it would be easier for
them to capture and suggest credentials.

The browser-understood interface Mike's proposing would also allow browsers
to provide a dedicated extension interface, rather than making LastPass run
content scripts on all websites in order to do what they need to do.
There's no need to standardize the extension interface in order for Mike's
contribution to enable it.

Jeffrey


> On 14 April 2015 at 16:21, Jeffrey Yasskin <jyasskin@google.com> wrote:
>
>> On Mon, Apr 13, 2015 at 10:20 PM, Manu Sporny <msporny@digitalbazaar.com>
>> wrote:
>>>
>>> > * Not having the ability to sync credentials between different
>>> > browsers removes features that people depend on from today's
>>> > managers (like LastPass) that allow you to do this. This makes the
>>> > proposed solution worse than the current solution.
>>>
>>> Applications like LastPass use a server-side component to enable you to
>>> sync credentials between different browser brands. I don't see anything
>>> like this in the current spec. Worse, it looks like the current spec is
>>> going to put companies like LastPass out of business (if the spec
>>> doesn't allow them to inject navigator.credentials).
>>>
>>> Does the spec provide a suggestion on allowing browser extensions to
>>> override navigator.credentials? If it does, are the security
>>> ramifications of doing so detailed anywhere? If it doesn't, isn't it
>>> making the state of the art worse by removing the ability to share
>>> credentials across multiple browser brands?
>>>
>>
>> Are you familiar with the way LastPass currently integrates with Chrome
>> to act as a password manager? I believe the technique it currently uses
>> will work at least as well when there's just one Javascript API through
>> which all passwords pass. If you think it doesn't work, can you point out
>> the exact place it breaks down?
>>
>> Jeffrey
>>
>
>

Received on Wednesday, 15 April 2015 01:52:59 UTC