248847 2022-12-06 17:04:46 -0800 [WebAuthn] googleLegacyAppidSupport extension is obsolete and can be removed 2024-04-03 08:57:00 -0700 1 1 1 Unclassified WebKit WebKit Misc. WebKit Nightly Build Unspecified Unspecified RESOLVED DUPLICATE 254848 InRadar P2 Normal --- 1 martinkr pascoe pascoe webkit-bug-importer oldest_to_newest 1917089 0 martinkr 2022-12-06 17:04:46 -0800 In https://bugs.webkit.org/show_bug.cgi?id=202427, WebKit added support for the non-standard googleLegacyAppidSupport WebAuthn request extension. If set by a google.com origin, this extension causes the WebAuthn API create() call to create a U2F API style credential bound to the hard-coded App ID `https://www.gstatic.com/securitykey/origins.json`, rather than a credential bound to a WebAuthn RP ID. Google.com stopped relying on this behavior several months ago. This means the googleLegacyAppidSupport extension is now obsolete and can be removed. (Here is Chromium’s change removing this extension: https://chromium-review.googlesource.com/c/chromium/src/+/3958174.) Note that google.com continues to rely on the ability to _assert_ legacy U2F/CTAP1 credentials bound to the `https://www.gstatic.com/securitykey/origins.json` U2F App ID for the foreseeable future. 1917117 1 pascoe 2022-12-06 19:32:18 -0800 Thanks Martin. 1917674 2 webkit-bug-importer 2022-12-08 12:32:28 -0800 <rdar://problem/103141593> 2025709 3 pascoe 2024-04-03 08:57:00 -0700 *** This bug has been marked as a duplicate of bug 254848 ***