[webauthn] Length restriction on user handles has no processing model associated with it (#1302) from Boris Zbarsky via GitHub on 2019-09-18 (public-webauthn@w3.org from September 2019)

From: Boris Zbarsky via GitHub <sysbot+gh@w3.org>
Date: Wed, 18 Sep 2019 04:34:58 +0000
To: public-webauthn@w3.org
Message-ID: <issues.opened-494983316-1568781297-sysbot+gh@w3.org>

bzbarsky has just created a new issue for https://github.com/w3c/webauthn:

== Length restriction on user handles has no processing model associated with it ==
https://w3c.github.io/webauthn/#dom-publickeycredentialuserentity-id says:

> A user handle is an opaque byte sequence with a maximum size of 64 bytes

but nothing says where or whether that maximum size is enforced.  Based on code inspection, Firefox checks for this in code that gets called from `CredentialsContainer.create` and throws an exception (a DOMException with name "TypeError") if the user handle is longer than 64 bytes.  Also based on code inspection it looks like Chrome throws a JS TypeError in this situation (with a comment about <https://www.w3.org/TR/webauthn/#user-handle>).  

Note that the lack of clear processing model leads to lack of interop here: the two browsers are throwing totally different kinds of exceptions...

@jcjones 

Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1302 using your GitHub account

Received on Wednesday, 18 September 2019 04:35:01 UTC