- From: Jeffrey Yasskin via GitHub <sysbot+gh@w3.org>
- Date: Tue, 03 Oct 2017 21:48:11 +0000
- To: public-webauthn@w3.org
Sorry it took me so long to look. I believe https://w3c.github.io/webappsec-credential-management/#algorithm-request takes complete charge of handling the `mediation` field. This handling uses a distinction between the [`[[CollectFromCredentialStore]]`](https://w3c.github.io/webappsec-credential-management/#dom-credential-collectfromcredentialstore-slot) method (which webauthn doesn't override) and the [`[[DiscoverFromExternalSource]]`](https://w3c.github.io/webappsec-credential-management/#dom-credential-discoverfromexternalsource-slot) method (which we [do override](https://w3c.github.io/webauthn/#getAssertion)). Because we don't override `[[CollectFromCredentialStore]]`, step 5.1 returns an empty list, so if the user passed `"silent"`, step 5.4 returns `null`, while if they passed `"optional"` or `"required"`, the algorithm proceeds to call `[[DiscoverFromExternalSource]]`, where webauthn does all of its work. It probably makes sense to clarify this in https://w3c.github.io/webauthn/#getAssertion, saying that navigator.credentials.get() lands here, and that by not-overriding `[[CollectFromCredentialStore]]` we've disabled unmediated get() calls. -- GitHub Notification of comment by jyasskin Please view or discuss this issue at https://github.com/w3c/webauthn/issues/566#issuecomment-333988852 using your GitHub account
Received on Tuesday, 3 October 2017 21:48:02 UTC