Re: [webauthn] Proposal/discussion: non-extractable CryptoKey output from the prf extension (#1895) from Matthew Miller via GitHub on 2023-06-05 (public-webauthn@w3.org from June 2023)

From: Matthew Miller via GitHub <sysbot+gh@w3.org>
Date: Mon, 05 Jun 2023 19:17:38 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-1577345542-1685992656-sysbot+gh@w3.org>

I don't know that this would achieve the desired effect. The options could be intercepted by malicious code before the call to `.get()` and `asCryptoKey` could then be flipped to `false` without the RP knowing any better. Then at that point this protection is bypassed and we're back to where we are now :(

-- 
GitHub Notification of comment by MasterKale
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1895#issuecomment-1577345542 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Monday, 5 June 2023 19:17:39 UTC