Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add permissions-policy check for publicKey credentials #182

Merged
merged 4 commits into from
Jan 6, 2022
Merged

Add permissions-policy check for publicKey credentials #182

Changes from 1 commit
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
c68fd02
Add permissions-policy check for publicKey credentials
equalsJeffH Dec 6, 2021
541e317
incorp nsatragno & jyasskin feedback, thx!
equalsJeffH Dec 21, 2021
4e5dc92
Merge branch 'main' into jeffh-fix-136-webauthn-permissions-policy
equalsJeffH Dec 25, 2021
e915c78
Apply jyasskin's suggestions, thx!
equalsJeffH Jan 6, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
21 changes: 18 additions & 3 deletions index.bs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ Shortname: credential-management
Level: 1
Editor: Jeff Hodges, w3cid 43843, Google Inc., [email protected]
Editor: Nina Satragno, w3cid 116344, Google Inc., [email protected]
Former Editor: Mike West 56384, Google Inc., mkwst@google.com
Former Editor: Mike West 56384, Google Inc., mkwst@google.co
equalsJeffH marked this conversation as resolved.
Show resolved Hide resolved
Group: webappsec
Abstract:
This specification describes an imperative API enabling a website to request a
Expand Down Expand Up @@ -783,7 +783,22 @@ spec:css-syntax-3;
6. Let |sameOriginWithAncestors| be `true` if |settings| is [=same-origin with its
ancestors=], and `false` otherwise.

7. Run the following steps [=in parallel=]:
7. Let |key| be the result of [=map/getting the key=] of |options|.
equalsJeffH marked this conversation as resolved.
Show resolved Hide resolved

8. If |key| is {{CredentialRequestOptions/publicKey}} then
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should add web OTP

https://wicg.github.io/web-otp/#sctn-permissions-policy

This mechanism is a bit of a pain to extend to other credential types and somewhat defeats the purpose of the credential types registry. Can we add the permission policy names to the registry, and then iterate those?

Copy link
Collaborator Author

@equalsJeffH equalsJeffH Dec 21, 2021
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good idea, agreed. Although I suggest we do not attempt to do this in this PR, and we instead:

  1. submit an issue about this. ( done: see issue Add "policy controlled feature tokens" column to "Credential Types Registry"  #184 )
  2. address issue #184 in a separate PR after both this PR and PR 181 (which creates the "Credential Types" registry) land.

if |settings|' [=responsible document=] is **not** [=allowed to use=] the
<a data-lt="publickey-credentials-get-feature">publickey-credentials-get</a>
equalsJeffH marked this conversation as resolved.
Show resolved Hide resolved
[=policy-controlled feature=] [[PERMISSIONS-POLICY]] return [=a promise rejected with=] `NotSupportedError`.
equalsJeffH marked this conversation as resolved.
Show resolved Hide resolved

<!-- the below does not link directly to the "password" or "federated" `[[type]]` slot's values'
`<dfn>`s because Bikeshed does not (yet) yield future-proof id's for such "tokens" (according to
Tab Atkins) and thus using a brute-force `<a href="#dom-credential-type-password">password</a>`
link here will break at some point in the future when Bikeshed does handle this properly. -->
Note: <code>[[#passwords|password]]</code> and
<code>[[#federated|federated]]</code> [=credential types=] are not presently
treated as [=policy-controlled features=], although this may change in the future.

9. Run the following steps [=in parallel=]:

1. Let |credentials| be the result of <a abstract-op lt="collect local">collecting
`Credential`s from the credential store</a>, given |origin|, |options|, and
Expand Down Expand Up @@ -827,7 +842,7 @@ spec:css-syntax-3;

Otherwise, [=reject=] |p| with |result|.

7. Return |p|.
10. Return |p|.
</ol>

<h4 id="algorithm-collect-known" algorithm>Collect `Credential`s from the credential store</h4>
Expand Down