- From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
- Date: Thu, 06 Feb 2025 15:14:57 +0000
- To: public-webauthn@w3.org
This will not work the way you want, it will be trivial to circumvent:
```js
window.PublicKeyCredential.getNumberOfCredentialsWithUserPermission = async function (options) {
return 0;
};
```
Sure, not all users will know to do this. But once it becomes commonly known that websites use this technique, it will be equally trivial to create a browser extension that does this, or share it as a scriptlet that you can just paste into the console to bypass your site restrictions. Which is in itself harmful too: normalizing the idea of running strangers' code will lead to all kinds of malicious abuse.
The problem is that you do not trust your users to obey your terms of service, so you're asking for the browser to enforce your ToS. But the browser is the user's agent, in the user's control, so you cannot trust the browser to do it either. The user can just choose a browser that doesn't enforce your demands. This approach can never work, because the premise contradicts itself.
Therefore I am against this. Even with a permission prompt, this would be a net loss for privacy since we don't even gain any benefit in exchange, given that it wouldn't serve its purpose anyway.
--
GitHub Notification of comment by emlun
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/2255#issuecomment-2640108237 using your GitHub account
--
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Thursday, 6 February 2025 15:14:58 UTC