Re: [webauthn] WebAuthn available to Workers? aka "silent authentication" (#199)

This might be the wrong place to chime in, I'm sorry if so. A potential value I've been thinking about for being able to create and get credentials from a worker context is that potentially malicious scripts or browser extension content scripts may have access to the window.

Such scripts could either trigger a request to get credentials, which may have associated secrets using `prf` or `largeBlob`, or they may be able to intercept these calls or read these values or other information about the credential like the `userHandle`.

I may be thinking about this wrong, but being able to make these calls from a worker could be beneficial if such scripts have less access.

-- 
GitHub Notification of comment by jordansexton
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/199#issuecomment-1692079234 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Thursday, 24 August 2023 16:56:55 UTC