On Thursday, March 10, 2016 at 11:27:34 PM UTC-5, Martin Thomson wrote:
> On Fri, Mar 11, 2016 at 5:56 AM, Axel Nennker <ignisvul...@gmail.com> wrote:
> > no password generation help by the UA
>
> I agree with MattN here, not doing this eliminates much of the
> advantage of having a password manager. Or do you have a plan to rely
> on sites doing that with CredentialContainer.store()? That doesn't
> sound optimal to me.
I think the idea would be something like:
```
var pass = /* generate a long random password */;
var cred = new PasswordCredential({password: pass});
navigator.credentials.store(cred);
```
So having the API as an imperative interface to the password manager doesn't do
the work for you, but (ISTM) makes it more appealing to do so, since you have
more assurance that the user is never going to have to see it.
That does raise the question, however, of how such a credential differs from,
say:
* A cookie
* A random nonce in localStorage/IDB
* A non-extractable WebCrypto key
By which I mean that if a website wants to verify that it is loaded in the same
browser as before, it already has a variety of ways to do so, some of which
offer better anti-theft properties than these Credential objects. Presumably
the fact that these are not being used means that the site wants some
indication that it has the right *user*, not just the right browser. In which
case, generating a long random password is not so useful.
--Richard
_______________________________________________
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform
