- From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
- Date: Fri, 06 Sep 2024 10:50:50 +0000
- To: public-webauthn@w3.org
emlun has just created a new issue for https://github.com/w3c/webauthn:
== Clarify behaviour of duplicate hints ==
[§5.8.8. User-agent Hints Enumeration (enum PublicKeyCredentialHints)](https://w3c.github.io/webauthn/#enum-hints) defines some behaviour for how hints are interpreted relative to each other:
>Hints are provided in order of decreasing preference so, if two hints are contradictory, the first one controls. Hints may also overlap: if a more-specific hint is defined a [Relying Party](https://w3c.github.io/webauthn/#relying-party) may still wish to send less specific ones for user-agents that may not recognise the more specific one.
But there's nothing explicit about what happens if a hint appears more than once:
```js
{ hints: ["security-key", "client-device", "security-key"] }
```
A particularly adversarial reader could read this example as:
1. `"security-key"` is preferred over `"client-device"`,
2. `"client-device"` is preferred over `"security-key"`,
3. therefore the the preference order is not well defined!
Perhaps more likely is that implementation bugs could inadvertently end up with that kind of logic if the implementation does not take care to check whether or not a hint has already been encountered.
## Proposed Change
Add to [§5.8.8. User-agent Hints Enumeration (enum PublicKeyCredentialHints)](https://w3c.github.io/webauthn/#enum-hints):
>If the same hint appears more than once, its second and later appearences are ignored.
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/2135 using your GitHub account
--
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Friday, 6 September 2024 10:50:51 UTC