LGTM3 On Wed, Nov 27, 2024 at 10:59 AM Chris Harrelson <chris...@chromium.org> wrote:
> LGTM2 > > On Fri, Nov 22, 2024 at 12:35 PM Mike Taylor <miketa...@chromium.org> > wrote: > >> Thanks Andrii - I see that Mozilla is positive on the feature now, thanks >> for requesting the review. >> >> And to Alex's request to call out FP risk - the spec does acknowledge it >> <https://w3c.github.io/webauthn/#sctn-disclosing-client-capabilities>, >> and allow UAs to limit what it returns. >> >> LGTM1 >> On 11/20/24 1:14 PM, Andrii Natiahlyi wrote: >> >> > Is there additional fingerprinting risk here? I'm happy to see this >> move forward even if there is, but we should call it out. >> >> The current set of capabilities does not pose such a risk (privacy review >> <https://chromestatus.com/feature/5128205875544064?gate=5101665930444800>). >> However, if any new capabilities will be added to the method that do pose a >> fingerprinting risk, they should undergo a blink-dev / privacy review. >> Also, probably it is worth to highlight the discussions about >> fingerprinting vectors that happened here: >> https://github.com/w3c/webauthn/pull/1923 >> >> On Wed, Nov 20, 2024 at 6:14 PM Alex Russell <slightly...@chromium.org> >> wrote: >> >>> Is there additional fingerprinting risk here? I'm happy to see this move >>> forward even if there is, but we should call it out. >>> >>> On Tuesday, November 19, 2024 at 9:24:50 AM UTC-8 Andrii Natiahlyi wrote: >>> >>>> Hello Mike, >>>> >>>> Thank you for your feedback. >>>> >>>> Regarding Gecko, I requested a Mozilla position on this emerging web >>>> specification >>>> <https://github.com/mozilla/standards-positions/issues/1114>. >>>> >>>> > Given that any capability can be omitted, do we expect {} to be >>>> conforming, however unlikely (I think yes?)? >>>> And yes, you're correct. Even though it's unlikely, we do expect an >>>> empty set `{}` to be conforming. >>>> >>>> Best, >>>> Andrii >>>> >>>> >>>> On Mon, Nov 18, 2024 at 7:43 PM Mike Taylor <miketa...@chromium.org> >>>> wrote: >>>> >>>>> On 11/14/24 9:39 AM, 'Andrii Natiahlyi' via blink-dev wrote: >>>>> >>>>> Contact emails natiah...@google.com, a...@google.com >>>>> >>>>> Explainer None >>>>> >>>>> Specification >>>>> https://w3c.github.io/webauthn/#sctn-getClientCapabilities >>>>> >>>>> Summary >>>>> >>>>> getClientCapabilities() method allows to determine which WebAuthn >>>>> features are supported by the user's client. The method returns a list of >>>>> supported capabilities, allowing developers to tailor authentication >>>>> experiences and workflows based on the client's specific functionality. >>>>> >>>>> >>>>> Blink component Blink>WebAuthentication >>>>> <https://bugs.chromium.org/p/chromium/issues/list?q=component:Blink%3EWebAuthentication> >>>>> >>>>> TAG review None >>>>> >>>>> It may be useful to send a non-blocking/FYI review here, since this is >>>>> a flavor of feature detection. >>>>> >>>>> >>>>> TAG review status Not applicable >>>>> >>>>> Risks >>>>> >>>>> >>>>> Interoperability and Compatibility >>>>> >>>>> None >>>>> >>>>> >>>>> *Gecko*: No signal >>>>> >>>>> Can we ask for one? >>>>> >>>>> >>>>> *WebKit*: Shipped/Shipping ( >>>>> https://developer.apple.com/documentation/safari-release-notes/safari-17_4-release-notes#WebAuthn >>>>> ) >>>>> >>>>> *Web developers*: No signals >>>>> >>>>> *Other signals*: >>>>> >>>>> WebView application risks >>>>> >>>>> Does this intent deprecate or change behavior of existing APIs, such >>>>> that it has potentially high risk for Android WebView-based applications? >>>>> >>>>> None >>>>> >>>>> >>>>> Debuggability >>>>> >>>>> None >>>>> >>>>> This should probably be N/A - DevTools doesn't need anything special >>>>> here. >>>>> >>>>> >>>>> >>>>> Will this feature be supported on all six Blink platforms (Windows, >>>>> Mac, Linux, ChromeOS, Android, and Android WebView)? Yes >>>>> >>>>> Is this feature fully tested by web-platform-tests >>>>> <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md> >>>>> ? Yes >>>>> >>>>> https://wpt.fyi/results/webauthn/getclientcapabilities.https.html >>>>> >>>>> Given that any capability can be omitted, do we expect {} to be >>>>> conforming, however unlikely (I think yes?)? >>>>> >>>>> >>>>> >>>>> DevTrial instructions >>>>> https://docs.google.com/document/d/e/2PACX-1vR3yUwIFZ0LbKpJ6J4GBamP-IrBgkal3arJ_CZLbRZwBDhFTZpdpVYMsPuvB6Mjnl0heE-6r9wE7Sfw/pub >>>>> >>>>> Flag name on about://flags enable-experimental-web-platform-features >>>>> >>>>> Finch feature name WebAuthenticationClientCapabilities >>>>> >>>>> Requires code in //chrome? False >>>>> >>>>> Tracking bug https://g-issues.chromium.org/issues/360327828 >>>>> >>>>> Availability expectation Safari has shipped an implementation already. >>>>> >>>>> Estimated milestones >>>>> Shipping on desktop 133 >>>>> DevTrial on desktop 131 >>>>> Shipping on Android 133 >>>>> DevTrial on Android 131 >>>>> Shipping on WebView 133 >>>>> >>>>> Anticipated spec changes >>>>> >>>>> Open questions about a feature may be a source of future web compat or >>>>> interop issues. Please list open issues (e.g. links to known github issues >>>>> in the project for the feature specification) whose resolution may >>>>> introduce web compat/interop risk (e.g., changing to naming or structure >>>>> of >>>>> the API in a non-backward-compatible way). >>>>> None >>>>> >>>>> Link to entry on the Chrome Platform Status >>>>> https://chromestatus.com/feature/5128205875544064?gate=5206408640069632 >>>>> >>>>> Links to previous Intent discussions Intent to Prototype: >>>>> https://groups.google.com/a/chromium.org/g/blink-dev/c/Wb8VjXe_zT8 >>>>> Ready for Trial: >>>>> https://groups.google.com/a/chromium.org/g/blink-dev/c/YTkGIdlQMAw >>>>> >>>>> >>>>> This intent message was generated by Chrome Platform Status >>>>> <https://chromestatus.com/>. >>>>> >>>>> -- >>>>> >>>>> Andrii Natiahlyi >>>>> >>>>> Software Engineer >>>>> >>>>> natiah...@google.com >>>>> >>>>> Google Germany GmbH >>>>> >>>>> Erika-Mann-Straße 33 >>>>> >>>>> 80636 München >>>>> >>>>> Geschäftsführer: Paul Manicle, Liana Sebastian >>>>> >>>>> Registergericht und -nummer: Hamburg, HRB 86891 >>>>> >>>>> Sitz der Gesellschaft: Hamburg >>>>> -- >>>>> You received this message because you are subscribed to the Google >>>>> Groups "blink-dev" group. >>>>> To unsubscribe from this group and stop receiving emails from it, send >>>>> an email to blink-dev+unsubscr...@chromium.org. >>>>> To view this discussion visit >>>>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAMrd0vy9wGn_fEQ4e9mX87cgz_jReJw7zOhbTrDweKARCUwyRw%40mail.gmail.com >>>>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAMrd0vy9wGn_fEQ4e9mX87cgz_jReJw7zOhbTrDweKARCUwyRw%40mail.gmail.com?utm_medium=email&utm_source=footer> >>>>> . >>>>> >>>>> -- >> You received this message because you are subscribed to the Google Groups >> "blink-dev" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to blink-dev+unsubscr...@chromium.org. >> To view this discussion visit >> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/9604625a-cba0-4831-864c-4af907f07eba%40chromium.org >> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/9604625a-cba0-4831-864c-4af907f07eba%40chromium.org?utm_medium=email&utm_source=footer> >> . >> > -- > You received this message because you are subscribed to the Google Groups > "blink-dev" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to blink-dev+unsubscr...@chromium.org. > To view this discussion visit > https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOMQ%2Bw-MhCYF1QdNcHJBcox33evLKnmY66P-23Un%3DxYvOJoTBA%40mail.gmail.com > <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOMQ%2Bw-MhCYF1QdNcHJBcox33evLKnmY66P-23Un%3DxYvOJoTBA%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CADsXd2PKz2CWOvi1SqgRcwtT81ptpYP4vi%3DWBzM36MPvL89oow%40mail.gmail.com.
