Re: [webauthn] Need to have authenticator-only extensions (#2331)

> Browsers also cannot make any guarantees to their users about the privacy & security of WebAuthn if they allow unvetted extensions.
> 
> > If browser vendors ignore what's in the specification, they shouldn't claim that their companies are behind the passkeys :-) I thought that all alliance members should make sure their implementations are complaint with the published specifications, no?
> 
> This understanding of web standards is incorrect: the specification needs a browser implementation to become a standard, not the other way around. If no browser implements a certain feature, it's removed from the specification (or more commonly, never added in the first place).

If there is no support from browser vendors any specification involving a client component would essentially be meaningless. I understand that the platform vendors do have such power. The question is: is blocking unknown extensions the right thing to do? Is this in the best interest of this ecosystem?

As I stated earlier, I don't think there is a real security and privacy concern for allowing extensions clearly marked as intended only for authenticators to pass through. If an authenticator willingly choose to participate in processing the custom extensions, such a behavior won't jeopardize those unsuspecting authenticators in any way. There are plenty of precedences on the Internet where intermediaries refrain from intercepting such end-to-end communication.

I strongly believe that it is not advisable for intermediaries to block all traffic that is unknown to them. Extensions are there for the precise reason we may not known all their uses ahead of time.

-- 
GitHub Notification of comment by joshzhao
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/2331#issuecomment-3375187588 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Tuesday, 7 October 2025 04:52:15 UTC