LGTM2 On Fri, Nov 22, 2024 at 12:35 PM Mike Taylor <miketa...@chromium.org> wrote:
> Thanks Andrii - I see that Mozilla is positive on the feature now, thanks > for requesting the review. > > And to Alex's request to call out FP risk - the spec does acknowledge it > <https://w3c.github.io/webauthn/#sctn-disclosing-client-capabilities>, > and allow UAs to limit what it returns. > > LGTM1 > On 11/20/24 1:14 PM, Andrii Natiahlyi wrote: > > > Is there additional fingerprinting risk here? I'm happy to see this move > forward even if there is, but we should call it out. > > The current set of capabilities does not pose such a risk (privacy review > <https://chromestatus.com/feature/5128205875544064?gate=5101665930444800>). > However, if any new capabilities will be added to the method that do pose a > fingerprinting risk, they should undergo a blink-dev / privacy review. > Also, probably it is worth to highlight the discussions about > fingerprinting vectors that happened here: > https://github.com/w3c/webauthn/pull/1923 > > On Wed, Nov 20, 2024 at 6:14 PM Alex Russell <slightly...@chromium.org> > wrote: > >> Is there additional fingerprinting risk here? I'm happy to see this move >> forward even if there is, but we should call it out. >> >> On Tuesday, November 19, 2024 at 9:24:50 AM UTC-8 Andrii Natiahlyi wrote: >> >>> Hello Mike, >>> >>> Thank you for your feedback. >>> >>> Regarding Gecko, I requested a Mozilla position on this emerging web >>> specification >>> <https://github.com/mozilla/standards-positions/issues/1114>. >>> >>> > Given that any capability can be omitted, do we expect {} to be >>> conforming, however unlikely (I think yes?)? >>> And yes, you're correct. Even though it's unlikely, we do expect an >>> empty set `{}` to be conforming. >>> >>> Best, >>> Andrii >>> >>> >>> On Mon, Nov 18, 2024 at 7:43 PM Mike Taylor <miketa...@chromium.org> >>> wrote: >>> >>>> On 11/14/24 9:39 AM, 'Andrii Natiahlyi' via blink-dev wrote: >>>> >>>> Contact emails natiah...@google.com, a...@google.com >>>> >>>> Explainer None >>>> >>>> Specification >>>> https://w3c.github.io/webauthn/#sctn-getClientCapabilities >>>> >>>> Summary >>>> >>>> getClientCapabilities() method allows to determine which WebAuthn >>>> features are supported by the user's client. The method returns a list of >>>> supported capabilities, allowing developers to tailor authentication >>>> experiences and workflows based on the client's specific functionality. >>>> >>>> >>>> Blink component Blink>WebAuthentication >>>> <https://bugs.chromium.org/p/chromium/issues/list?q=component:Blink%3EWebAuthentication> >>>> >>>> TAG review None >>>> >>>> It may be useful to send a non-blocking/FYI review here, since this is >>>> a flavor of feature detection. >>>> >>>> >>>> TAG review status Not applicable >>>> >>>> Risks >>>> >>>> >>>> Interoperability and Compatibility >>>> >>>> None >>>> >>>> >>>> *Gecko*: No signal >>>> >>>> Can we ask for one? >>>> >>>> >>>> *WebKit*: Shipped/Shipping ( >>>> https://developer.apple.com/documentation/safari-release-notes/safari-17_4-release-notes#WebAuthn >>>> ) >>>> >>>> *Web developers*: No signals >>>> >>>> *Other signals*: >>>> >>>> WebView application risks >>>> >>>> Does this intent deprecate or change behavior of existing APIs, such >>>> that it has potentially high risk for Android WebView-based applications? >>>> >>>> None >>>> >>>> >>>> Debuggability >>>> >>>> None >>>> >>>> This should probably be N/A - DevTools doesn't need anything special >>>> here. >>>> >>>> >>>> >>>> Will this feature be supported on all six Blink platforms (Windows, >>>> Mac, Linux, ChromeOS, Android, and Android WebView)? Yes >>>> >>>> Is this feature fully tested by web-platform-tests >>>> <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md> >>>> ? Yes >>>> >>>> https://wpt.fyi/results/webauthn/getclientcapabilities.https.html >>>> >>>> Given that any capability can be omitted, do we expect {} to be >>>> conforming, however unlikely (I think yes?)? >>>> >>>> >>>> >>>> DevTrial instructions >>>> https://docs.google.com/document/d/e/2PACX-1vR3yUwIFZ0LbKpJ6J4GBamP-IrBgkal3arJ_CZLbRZwBDhFTZpdpVYMsPuvB6Mjnl0heE-6r9wE7Sfw/pub >>>> >>>> Flag name on about://flags enable-experimental-web-platform-features >>>> >>>> Finch feature name WebAuthenticationClientCapabilities >>>> >>>> Requires code in //chrome? False >>>> >>>> Tracking bug https://g-issues.chromium.org/issues/360327828 >>>> >>>> Availability expectation Safari has shipped an implementation already. >>>> >>>> Estimated milestones >>>> Shipping on desktop 133 >>>> DevTrial on desktop 131 >>>> Shipping on Android 133 >>>> DevTrial on Android 131 >>>> Shipping on WebView 133 >>>> >>>> Anticipated spec changes >>>> >>>> Open questions about a feature may be a source of future web compat or >>>> interop issues. Please list open issues (e.g. links to known github issues >>>> in the project for the feature specification) whose resolution may >>>> introduce web compat/interop risk (e.g., changing to naming or structure of >>>> the API in a non-backward-compatible way). >>>> None >>>> >>>> Link to entry on the Chrome Platform Status >>>> https://chromestatus.com/feature/5128205875544064?gate=5206408640069632 >>>> >>>> Links to previous Intent discussions Intent to Prototype: >>>> https://groups.google.com/a/chromium.org/g/blink-dev/c/Wb8VjXe_zT8 >>>> Ready for Trial: >>>> https://groups.google.com/a/chromium.org/g/blink-dev/c/YTkGIdlQMAw >>>> >>>> >>>> This intent message was generated by Chrome Platform Status >>>> <https://chromestatus.com/>. >>>> >>>> -- >>>> >>>> Andrii Natiahlyi >>>> >>>> Software Engineer >>>> >>>> natiah...@google.com >>>> >>>> Google Germany GmbH >>>> >>>> Erika-Mann-Straße 33 >>>> >>>> 80636 München >>>> >>>> Geschäftsführer: Paul Manicle, Liana Sebastian >>>> >>>> Registergericht und -nummer: Hamburg, HRB 86891 >>>> >>>> Sitz der Gesellschaft: Hamburg >>>> -- >>>> You received this message because you are subscribed to the Google >>>> Groups "blink-dev" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to blink-dev+unsubscr...@chromium.org. >>>> To view this discussion visit >>>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAMrd0vy9wGn_fEQ4e9mX87cgz_jReJw7zOhbTrDweKARCUwyRw%40mail.gmail.com >>>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAMrd0vy9wGn_fEQ4e9mX87cgz_jReJw7zOhbTrDweKARCUwyRw%40mail.gmail.com?utm_medium=email&utm_source=footer> >>>> . >>>> >>>> -- > You received this message because you are subscribed to the Google Groups > "blink-dev" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to blink-dev+unsubscr...@chromium.org. > To view this discussion visit > https://groups.google.com/a/chromium.org/d/msgid/blink-dev/9604625a-cba0-4831-864c-4af907f07eba%40chromium.org > <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/9604625a-cba0-4831-864c-4af907f07eba%40chromium.org?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOMQ%2Bw-MhCYF1QdNcHJBcox33evLKnmY66P-23Un%3DxYvOJoTBA%40mail.gmail.com.
