W3C home > Mailing lists > Public > public-webauthn@w3.org > January 2020

Re: [webauthn] Requiring user gesture to call WebAuthn API (#1293)

From: =JeffH via GitHub <sysbot+gh@w3.org>
Date: Wed, 22 Jan 2020 20:48:27 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-577378396-1579726106-sysbot+gh@w3.org>
on 2020-01-22 call:  chrome folks @agl  indicated that changing this esp for top-level contexts would be very problematic for us, more sanguine re cross-origin iframes.  @jcjones thinks this applies for cross-origin iframes. presently top-level context must obtain user interaction to do full-screen.  @jcjones thinks this is still valid issue -- is 2 sep issues: (a) cross-origin iframes being interacted with before webauthn completes, and (b) requiring user interact for all webauthn for any context.  a thought/question is whether  interaction with top-level context can be used to allow webauthn in embedded cross-origin contexts.  @agl notes that (b) is a big deal and browsers would need to coordinate.  @jcjones notes that we need to review what the definitions for "interact" are?  (moving one's mouse?)   we ought to look at what the fullscreen API has done....?   (but might be disappointed there...)

-- 
GitHub Notification of comment by equalsJeffH
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1293#issuecomment-577378396 using your GitHub account
Received on Wednesday, 22 January 2020 20:48:29 UTC

This archive was generated by hypermail 2.4.0 : Thursday, 24 March 2022 20:38:37 UTC