- From: James Elliott via GitHub <sysbot+gh@w3.org>
- Date: Fri, 21 Oct 2022 23:29:09 +0000
- To: public-webauthn@w3.org
> Safari 16 changes the user gesture policy. Each tab gets a “freebie” attempt at a .get without a user gesture. After that, the user gesture requirement comes back. So I’d keep some of your handling around — be able to handle rejection and get a user gesture. I think this specific flow Apple has decided to use is probably representative of the vast majority of implementations prior to them considering Apple's _unique_ way of handling Webauthn, or implementations that never considered it. i.e. either all attempts are triggered by a gesture (typically a click) or if there are automatic attempts then they're only the first attempt. > **Chrome Stable 106** also acted exactly the same as Safari 16.0 today. @nsatragno confirmed that Chrome currently has no such user gesture requirement and may never have; I thought Chrome used to at least require _some_ kind of user interaction even if it didn't directly invoke WebAuthn (client-side routing redirect, make an async network request, etc...) but currently it doesn't. I think it's possible this only happened on Apple devices, specifically iOS devices. I'm not certain of this, however the underlying reason I believe this is that all browsers at least on iOS are effectively rebranded Safari browsers. -- GitHub Notification of comment by james-d-elliott Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1293#issuecomment-1287532054 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Friday, 21 October 2022 23:29:11 UTC