- From: Ehsan Toreini via GitHub <noreply@w3.org>
- Date: Fri, 01 Aug 2025 13:00:44 +0000
- To: public-webauthn@w3.org
I think the current spec might leave some room for interpretation so I request clarification in text to mitigate a potential privacy leakage. Here is my concern: there should be more clarification on the incognito fingerprinting. Timing consideration is predicted to mitigate this attack in the explainer: "To avoid incognito fingerprinting, this response can be delayed by the browser to simulate the browser fetching credential metadata from the system.". Also, There are three scenarios that throws NotAllowedError: * when there are no locally-available credentials * when browsed in private mode * when requests has allowlists It looks like user agent throws the error with synthetic delay only in private mode. From the text I can conclude this: **if the RP provides an allowlist, the UA is expected to immediately throw an error.** However, a combination of these two might leak incognito fingerprinting: > allowlist with mediation: 'immediate' -> if error thrown with delay (to simulate browser fetching credential metadata) -> private browsing Can you please make this clear in privacy section? -- GitHub Notification of comment by toreini Please view or discuss this issue at https://github.com/w3c/webauthn/issues/2307#issuecomment-3144509489 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Friday, 1 August 2025 13:00:45 UTC