- From: Adam Langley via GitHub <sysbot+gh@w3.org>
- Date: Wed, 17 Jul 2019 21:06:24 +0000
- To: public-webauthn@w3.org
> Basic thought I had was, having different behavior in inprivate/incognito mode and regular mode gives away the knowledge of browser's operating mode to the RP. Which all browsers strive not to do that. We certainly don't want to create an isIncognito() call. Thus easily observable behaviour changes that result in a low-noise analog of isIncognito() are bad. I think registering / asserting a credential is abrupt enough that it doesn't count as “easily observable” (so long as there's no silent failures that are distinguishable), so it's isUVPAA that's the major worry. For Android and Windows, [isUVPAA returns false](https://cs.chromium.org/chromium/src/chrome/browser/webauthn/chrome_authenticator_request_delegate.cc?rcl=dc1714fa48e02e61fba27a1c1fc720f95bcd3323&l=333) in Incognito. This is a signal, but it's very noisy and thus hopefully useless for sites trying to figure out whether a Javascript context is in an incognito session. As Martin notes [above](https://github.com/w3c/webauthn/issues/1174#issuecomment-501833031), we do support platform authenticators on macOS with warnings. I think the reason that we don't do something similar for Windows and Android is a lack of ability to conveniently show such warnings. -- GitHub Notification of comment by agl Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1174#issuecomment-512568671 using your GitHub account
Received on Wednesday, 17 July 2019 21:06:25 UTC