- From: Matthew Miller via GitHub <sysbot+gh@w3.org>
- Date: Wed, 26 Jun 2024 18:23:27 +0000
- To: public-webauthn@w3.org
@nsatragno helped me understand last week that, unfortunately, `NoCredentialsError` needs to be removed from consideration. If malicious code executed `.get()` on a site on which the user has no credentials, the confused user would be shown by the browser that they have no credentials, click Cancel because "why was I shown that, I didn't try to log in", returning `NoCredentialsError` to the malicious code could be used to fingerprint the user. `UserCancelledError` could still be returned, though, so I think the latter survives initial scrutiny. -- GitHub Notification of comment by MasterKale Please view or discuss this issue at https://github.com/w3c/webauthn/issues/2062#issuecomment-2192374805 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Wednesday, 26 June 2024 18:23:28 UTC