nsatragno has just created a new issue for https://github.com/w3c/webauthn: == Better specify what an unknown type credential descriptor being ignored means == We use credential descriptors "`PublicKeyCredentialDescriptor`" for allow lists & exclude lists. The spec says > [...][client platforms](https://w3c.github.io/webauthn/#client-platform) MUST ignore any [PublicKeyCredentialDescriptor](https://w3c.github.io/webauthn/#dictdef-publickeycredentialdescriptor) with an unknown [type](https://w3c.github.io/webauthn/#dom-publickeycredentialdescriptor-type). There's no further specification for unknown types. If we follow the spec to the letter, a possible interpretation ends up with: ```javascript navigator.credentials.get({ publicKey: { allowCredentials: [{type: "not-yet-supported-by-browser", id: <id>}], } }); ``` Resulting in an empty `allowCredentials` request, which is definitely not what the RP intended. I think we should immediately return `NotAllowedError` in this case, based on prior text: > If issuedRequests is empty, options.[allowCredentials](https://w3c.github.io/webauthn/#dom-publickeycredentialrequestoptions-allowcredentials) is not empty, and no authenticator will become available for any [public key credentials](https://w3c.github.io/webauthn/#public-key-credential) therein, Indicate to the user that no eligible credential could be found. When the user acknowledges the dialog, throw a "[NotAllowedError](https://webidl.spec.whatwg.org/#notallowederror)" [DOMException](https://webidl.spec.whatwg.org/#idl-DOMException). This is not a problem for `excludeCredentials`, since in that case the browser will simply discard the unknown credential type. Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1748 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-configReceived on Friday, 17 June 2022 16:21:42 UTC
This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:46 UTC