W3C home > Mailing lists > Public > public-webauthn@w3.org > July 2019

Re: [webauthn] Add explicit description on what should be done in incognito/private browsing mode (#1174)

From: Adam Langley via GitHub <sysbot+gh@w3.org>
Date: Wed, 17 Jul 2019 21:06:24 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-512568671-1563397582-sysbot+gh@w3.org>
> Basic thought I had was, having different behavior in inprivate/incognito mode and regular mode gives away the knowledge of browser's operating mode to the RP. Which all browsers strive not to do that.

We certainly don't want to create an isIncognito() call. Thus easily observable behaviour changes that result in a low-noise analog of isIncognito() are bad.

I think registering / asserting a credential is abrupt enough that it doesn't count as &ldquo;easily observable&rdquo; (so long as there's no silent failures that are distinguishable), so it's isUVPAA that's the major worry. For Android and Windows, [isUVPAA returns false](https://cs.chromium.org/chromium/src/chrome/browser/webauthn/chrome_authenticator_request_delegate.cc?rcl=dc1714fa48e02e61fba27a1c1fc720f95bcd3323&l=333) in Incognito. This is a signal, but it's very noisy and thus hopefully useless for sites trying to figure out whether a Javascript context is in an incognito session.

As Martin notes [above](https://github.com/w3c/webauthn/issues/1174#issuecomment-501833031), we do support platform authenticators on macOS with warnings. I think the reason that we don't do something similar for Windows and Android is a lack of ability to conveniently show such warnings.

-- 
GitHub Notification of comment by agl
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1174#issuecomment-512568671 using your GitHub account
Received on Wednesday, 17 July 2019 21:06:25 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:59:06 UTC