Comments on Credential Management Spec from Tanvi Vyas on 2015-04-22 (public-webappsec@w3.org from April 2015)

From: Tanvi Vyas <tanvi@mozilla.com>
Date: Wed, 22 Apr 2015 10:52:07 -0700
To: Mike West <mkwst@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <5537DFC7.5080009@mozilla.com>

Hi Mike,

I went through the current version of the Credential Management spec 
(https://w3c.github.io/webappsec/specs/credentialmanagement/) and have 
some comments/questions.

1.2.3 - How do websites tell the credential manager that sign-in 
succeeded?  In example 3, we check for a response code of 200.  But most 
websites will return a 200 ok even if the sign-in failed, and they will 
just redisplay the login page.

1.2.2 - What exactly happens when you fill federated credentials? Is the 
Credential Manager just telling the website which of the providers you 
logged into the site with the last time to "kick off the sign-in flow", 
or does it also seamlessly log you in without any popups from the 
identity providers used to go through an oauth flow?

1.2.5 - Change Password.  It would be useful for websites to indicate to 
the credential management page when the user is on a change password 
page and whether or not the user needs to enter their current password 
before changing to a new one.  This way, it can try and avoid filling in 
the current password into the new password field.

4.2.2 - In the case that a user has multiple credentials for a website, 
we don't want to reveal all of these to a website.  At this point, I 
assume the user-agent can pop up the Credential Chooser to ask the user 
which of the accounts it would like to login with. Should we mention 
that in this algorithm?

4.2.7 - What is the intent behind "Fuzzy Match".

5.2 - When you clear private data in Firefox, it is for all origins (not 
for a specific site).  And clearing passwords isn't listed as one of the 
options.  From Number 4 here, clearing private data will set the 
mediation flag from false to true on all saved credentials where the 
user has opted out of mediation.  This can be a confusing experience for 
users - why aren't any of their passwords getting autofilled anymore?  
Since the password hasn't changed, there is no reason for the Credential 
Manager to prompt the user to save the password again.  Hence, any UI we 
add for this situation would only be to ask the user if they want to 
autofill (like their browser did before they cleared private data).  I'm 
not sure it is worth interrupting the user to reselect this preference 
after they clear private data.  If they were clearing their passwords, 
this would make sense.

6.1.1 - Can credentials stored for http://example.com be made available 
to https://example.com?

6.1.3 - In this example, could the user agent also offer credentials to 
completely different domains (ex: https://bar.com) via the Credential 
Chooser?  Perhaps example.com and bar.com are related somehow.  The 
credentials aren't given to bar.com unless the user explicitly chooses 
to send example.com credentials to bar.com.

6.2 - typo, the word "like" is used twice in a row: other environments 
like like Workers

7.2 - Is the iconURL really necessary?  What do you mean by 'MUST be 
fetched with the credentials flag set to "omit"'?

Thanks!

~Tanvi

Received on Wednesday, 22 April 2015 17:52:36 UTC