Re: Technical Review of WebAppSec Credential Management API [2/3] (was Re: Overlap with Credentials/Web Payments CG)

Thanks for the response, yes we are now on the same page.
Initially I was not clear this was a possibility and this should probably
be mentioned in the specification as the suggested implementation for
credential managers. With that user agents must be informed that their code
can't expect the interface always to be present.
On 15 Apr 2015 02:52, "Jeffrey Yasskin" <jyasskin@google.com> wrote:

> On Tue, Apr 14, 2015 at 5:13 PM, Jonathan Kingston <jonathan@jooped.com>
> wrote:
>
>> @jeffery Tests 8 and 9 here fail with LastPass:
>> password-generation-test-cases.herokuapp.com
>>
>> These are visible in a fair few apps that use AJAX for auth, in fact
>> LastPass integration advises against using AJAX for this reason I suspect.
>> Allowing apps like LastPass to extend or override the store requests will
>> allow this to be seamless to login rather than sometimes delayed or a
>> little jankier than native experiences.
>>
>
> Thanks. I might rephrase this as saying that LastPass takes advantage of
> the standardized <form> interface in order to intercept and store password
> submissions. Because AJAX login techniques are not currently standardized,
> LastPass often can't find the right Javascript names to interpose. With
> Mike's proposal of a common Javascript interface, it would be easier for
> them to capture and suggest credentials.
>
> The browser-understood interface Mike's proposing would also allow
> browsers to provide a dedicated extension interface, rather than making
> LastPass run content scripts on all websites in order to do what they need
> to do. There's no need to standardize the extension interface in order for
> Mike's contribution to enable it.
>
> Jeffrey
>
>
>> On 14 April 2015 at 16:21, Jeffrey Yasskin <jyasskin@google.com> wrote:
>>
>>> On Mon, Apr 13, 2015 at 10:20 PM, Manu Sporny <msporny@digitalbazaar.com
>>> > wrote:
>>>>
>>>> > * Not having the ability to sync credentials between different
>>>> > browsers removes features that people depend on from today's
>>>> > managers (like LastPass) that allow you to do this. This makes the
>>>> > proposed solution worse than the current solution.
>>>>
>>>> Applications like LastPass use a server-side component to enable you to
>>>> sync credentials between different browser brands. I don't see anything
>>>> like this in the current spec. Worse, it looks like the current spec is
>>>> going to put companies like LastPass out of business (if the spec
>>>> doesn't allow them to inject navigator.credentials).
>>>>
>>>> Does the spec provide a suggestion on allowing browser extensions to
>>>> override navigator.credentials? If it does, are the security
>>>> ramifications of doing so detailed anywhere? If it doesn't, isn't it
>>>> making the state of the art worse by removing the ability to share
>>>> credentials across multiple browser brands?
>>>>
>>>
>>> Are you familiar with the way LastPass currently integrates with Chrome
>>> to act as a password manager? I believe the technique it currently uses
>>> will work at least as well when there's just one Javascript API through
>>> which all passwords pass. If you think it doesn't work, can you point out
>>> the exact place it breaks down?
>>>
>>> Jeffrey
>>>
>>
>>
>

Received on Wednesday, 15 April 2015 05:54:42 UTC