Re: [webauthn] Requiring user gesture to call WebAuthn API (#1293)

on 2020-01-22 call:  chrome folks @agl  indicated that changing this esp for top-level contexts would be very problematic for us, more sanguine re cross-origin iframes.  @jcjones thinks this applies for cross-origin iframes. presently top-level context must obtain user interaction to do full-screen.  @jcjones thinks this is still valid issue -- is 2 sep issues: (a) cross-origin iframes being interacted with before webauthn completes, and (b) requiring user interact for all webauthn for any context.  a thought/question is whether  interaction with top-level context can be used to allow webauthn in embedded cross-origin contexts.  @agl notes that (b) is a big deal and browsers would need to coordinate.  @jcjones notes that we need to review what the definitions for "interact" are?  (moving one's mouse?)   we ought to look at what the fullscreen API has done....?   (but might be disappointed there...)

GitHub Notification of comment by equalsJeffH
Please view or discuss this issue at using your GitHub account

Received on Wednesday, 22 January 2020 20:48:29 UTC