- From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
- Date: Mon, 18 Sep 2023 09:06:55 +0000
- To: public-webauthn@w3.org
I would also like to add that the proposed mitigation of "backing up" the original value of `navigator.credentials.get` does little to nothing to prevent an attacker from modifying the script running in a browser on their own machine. Such an attacker could just as well intercept the delivery of the script file itself and make any modifications they wish, or indeed they don't even need to run the web app in a full browser. You could just as well simulate the same authentication process against the raw backend API using cURL, Telnet, Python or any other combination of network and scripting tools. This mitigation _could_ help against malicious script injections overwriting `navigator.credentials.get` on the victim's machine, but for that there are better countermeasures such as the [`Content-Security-Policy` header](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy). -- GitHub Notification of comment by emlun Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1965#issuecomment-1723019532 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Monday, 18 September 2023 09:06:58 UTC