- From: Matthew Miller via GitHub <sysbot+gh@w3.org>
- Date: Thu, 20 Oct 2022 23:56:07 +0000
- To: public-webauthn@w3.org
Hello everyone, we may be able to finally close this out. It's been observed recently that **Safari 16.0** has completely relaxed the user gesture requirement, allowing for WebAuthn to be invoked immediately on page load without any kind of user interaction. I recorded a screenshot of a simple page that immediately invokes `navigator.credentials.get()` on page load, with a button to also invoke `.get()` with a user gesture. In both scenarios there are no issues triggering WebAuthn: https://user-images.githubusercontent.com/5166470/197079787-b1df177d-83da-4c6f-9fb3-4ba1e41da27b.mov I tested some more with this basic page in Browserstack and saw the same behavior in **Safari 15.6** (and maybe earlier, but this was the only 15.x version I could test). I had to go back to **Safari 14.1** to get back to a version that refused to invoke WebAuthn without a user gesture. **Chrome Stable 106** also acted exactly the same as Safari 16.0 today. @nsatragno confirmed that Chrome currently has no such user gesture requirement and may never have; I thought Chrome used to at least require _some_ kind of user interaction even if it didn't directly invoke WebAuthn (client-side routing redirect, make an async network request, etc...) but currently it doesn't. Based on this I think it's safe to start telling people that they can re-evaluate logic that might have tried to account for this, and that WebAuthn should be safe to invoke without additional considerations than needing to provide a secure context. -- GitHub Notification of comment by MasterKale Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1293#issuecomment-1286287786 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Thursday, 20 October 2022 23:56:09 UTC