Re: [webauthn] Code Injection vulnerability from client side (#1965) from Firstyear via GitHub on 2023-09-25 (public-webauthn@w3.org from September 2023)

From: Firstyear via GitHub <sysbot+gh@w3.org>
Date: Mon, 25 Sep 2023 23:45:46 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-1734615473-1695685545-sysbot+gh@w3.org>

I agree with @arianvp here - as fun as it is to have nav.cred.get overriden, there should be mechanisms in browsers to allow PW managers to more seamlessly and cleanly hook webauthn requests. The benefit here then is that nav.cred.get can be protected from overloading, which prevents these attack patterns that have been described here. 

-- 
GitHub Notification of comment by Firstyear
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1965#issuecomment-1734615473 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Monday, 25 September 2023 23:45:48 UTC