- From: Nina Satragno via GitHub <sysbot+gh@w3.org>
- Date: Tue, 02 Jul 2024 19:24:31 +0000
- To: public-webauthn@w3.org
nsatragno has just created a new issue for https://github.com/w3c/webauthn:
== [[Create]] should not access the global object directly ==
The `[[Create]]` internal method for `PublicKeyCredential` has the following [text](https://w3c.github.io/webauthn/#sctn-discover-from-external-source:~:text=If%20the%20relevant,relevant%20global%20object.):
```
1. If the [=relevant global object=], as determined by the calling
{{CredentialsContainer/create()}} implementation, does not have
[=transient activation=]:
1. Throw a "{{NotAllowedError}}" {{DOMException}}.
1. [=Consume user activation=] of the [=relevant global object=].
```
However, [`[[Create]]` is called in parallel](https://w3c.github.io/webappsec-credential-management/#algorithm-create-cred) which means it [cannot access the global object](https://html.spec.whatwg.org/multipage/webappapis.html#event-loop-for-spec-authors). This was [pointed out](https://github.com/w3c/webappsec-credential-management/issues/243) for a different spec by @marcoscaceres.
I think the strange "as determined by the calling {{CredentialsContainer/create()}} implementation" may be trying to work around this issue, but consuming user activation does not have that blurb and to me that looks like underspecified behaviour. This might need some changes in credman: either we make it so internal methods can be run from the main thread, or we put this spec from webauthn directly in credman like we did for permissions policy.
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/2092 using your GitHub account
--
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Tuesday, 2 July 2024 19:24:32 UTC