[webauthn] Spec is not specific enough about order of conditional UI autofill tokens (#1982)

• From: Matthew Miller via GitHub <sysbot+gh@w3.org>
• Date: Mon, 02 Oct 2023 15:41:16 +0000
• To: public-webauthn@w3.org
• Message-ID: <issues.opened-1922169115-1696261275-sysbot+gh@w3.org>

MasterKale has just created a new issue for https://github.com/w3c/webauthn:

== Spec is not specific enough about order of conditional UI autofill tokens ==
## Proposed Change

I've learned recently that Chrome expects the `username` autofill token to either appear by itself, or **after** the typical `username` or `password` tokens. However based on current browser behavior out in the wild this isn't obvious (see screenshots below.)

If you just read the WebAuthn spec itself, there's no obvious order suggested - the presence of the `webauthn` token _somewhere_ sounds like that's all that matters:

> If options.[mediation](https://w3c.github.io/webappsec-credential-management/#dom-credentialrequestoptions-mediation) is [conditional](https://w3c.github.io/webappsec-credential-management/#dom-credentialmediationrequirement-conditional) and the user interacts with an [input](https://html.spec.whatwg.org/multipage/input.html#the-input-element) or [textarea](https://html.spec.whatwg.org/multipage/form-elements.html#the-textarea-element) form control with an [autocomplete](https://html.spec.whatwg.org/multipage/form-control-infrastructure.html#attr-fe-autocomplete) attribute whose value contains a "webauthn" [autofill detail token](https://html.spec.whatwg.org/multipage/form-control-infrastructure.html#autofill-detail-tokens),

https://w3c.github.io/webauthn/#GetAssn-ConditionalMediation-Interact-FormControl

But I've been informed that in the WHATWG there's text that specifically says that the `webauthn` token must come after either `username` or `password`:

> 4. Optionally, a token that is an [ASCII case-insensitive](https://infra.spec.whatwg.org/#ascii-case-insensitive) match for the string "webauthn", meaning the user agent should show [public key credentials](https://w3c.github.io/webauthn/#public-key-credential) available via [conditional](https://w3c.github.io/webappsec-credential-management/#dom-credentialmediationrequirement-conditional) mediation when the user interacts with the form control. [webauthn](https://html.spec.whatwg.org/#attr-fe-autocomplete-webauthn) is only valid for [input](https://html.spec.whatwg.org/#the-input-element) and [textarea](https://html.spec.whatwg.org/#the-textarea-element) elements.

https://html.spec.whatwg.org/#autofill-detail-tokens

I think we need to clarify in the spec that there _is_ an order for the tokens that must be followed, and either spell out the order in WebAuthn, or emphasize more that the exact order can be confirmed by looking at that autofill detail tokens section of WHATWG.

Personally I'm proposing we address this by **specifically stating the order in the WebAuthn spec** (with a link to WHATWG for those who wish to dive deeper) to make the WebAuthn spec the one place most developers need to go to understand how to properly set up conditional UI.

## autocomplete="username webauthn"

**Chrome**

![Screenshot 2023-10-02 at 8 28 01 AM](https://github.com/w3c/webauthn/assets/5166470/c17bd13f-97ec-4294-8d4c-cc5da3e11285)

**Safari**

![Screenshot 2023-10-02 at 8 28 17 AM](https://github.com/w3c/webauthn/assets/5166470/2252cac7-ebdf-491c-a9e2-a714a93e75ec)

## autocomplete="webauthn username"

**Chrome (no autofill appears)**

![Screenshot 2023-10-02 at 8 24 49 AM](https://github.com/w3c/webauthn/assets/5166470/4af64e8a-a0b5-428b-a70a-4a0fb60e0646)


**Safari**

![Screenshot 2023-10-02 at 8 24 30 AM](https://github.com/w3c/webauthn/assets/5166470/1ef25211-76b8-44ba-9a59-1935f98e4941)


Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1982 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Monday, 2 October 2023 15:41:18 UTC