[webauthn] Mechanism for encoding *direction* metadata may need more work (#1644)

aphillips has just created a new issue for https://github.com/w3c/webauthn:

== Mechanism for encoding *direction* metadata may need more work ==
6.4.2. Language and Direction Encoding
https://www.w3.org/TR/webauthn-2/#sctn-strings-langdir

> The second consists of a single code point which is either U+200E (“LEFT-TO-RIGHT MARK”), U+200F (“RIGHT-TO-LEFT MARK”), or U+E007F (“CANCEL TAG”). The first two can be used to indicate directionality but SHOULD only be used when neccessary to produce the correct result. (E.g. an RTL string that starts with LTR-strong characters.) The value U+E007F is a direction-agnostic indication of the end of the language tag.

The mechanism for indicating base direction makes the I18N working group concerned for multiple reasons:

* This is a unique and thus unproven encoding mechanism. It requires string introspection that would likely produce errors, especially since authenticators are expected consume these strings naively.
* Separate bidi metadata fields are preferred to inline metadata (see #1643).
* Bidi metadata values are preferred to using bidi control characters as the actual value. We recommend using strings such as `ltr` or `rtl` (and appropriately decorated as metadata or set off from the content). Using strings makes the value visible when editing the content and easier to debug, vs. invisible controls.
* RLM/LRM are strongly directional characters and should precede the string, as they would result in many cases in the correct rendering. This is independent of whether the language identification should appear at the start or end.
   * If the RLM/LRM appears at the end of the string, replacing the `CANCEL` tag character, they might impact the display of any string immediately concatenated onto a naive display of the value.
   * Because RLM/LRM are normal bidi controls, if added to the start of the string, it is impossible to determine if they are part of the data or were added by the implementation. There is potential danger that implementations would add extra characters as a result.

Regardless of the direction metadata mechanism, this section should include a health warning to consumers to present language data in a bidi-isolating context.


Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1644 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Friday, 9 July 2021 17:38:07 UTC