259934 2023-08-08 10:30:08 -0700 [WebAuthn] Implement PRF extension + hmac-secret 2026-01-08 23:37:45 -0800 1 1 1 Unclassified WebKit WebKit Misc. WebKit Nightly Build Unspecified Unspecified RESOLVED FIXED InRadar P2 Normal --- 1 pascoe pascoe andrey bsoft pascoe rew.islam webkit-bug-importer oldest_to_newest 1970111 0 pascoe 2023-08-08 10:30:08 -0700 We currently do not support the PRF extension or the necessary CTAP extension for it, hmac-secret. This bug is to implement both of those. 1970112 1 webkit-bug-importer 2023-08-08 10:30:21 -0700 <rdar://problem/113572812> 1970113 2 pascoe 2023-08-08 10:30:41 -0700 explainer: https://github.com/w3c/webauthn/wiki/Explainer:-PRF-extension 2106118 3 rew.islam 2025-03-26 06:28:35 -0700 It would be great to also see support for hmac-secret-mc: https://fidoalliance.org/specs/fido-v2.2-ps-20250228/fido-client-to-authenticator-protocol-v2.2-ps-20250228.html#sctn-hmac-secret-make-cred-extension 2157870 4 pascoe 2025-11-11 00:26:57 -0800 Pull request: https://github.com/WebKit/WebKit/pull/53734 2160641 5 ews-feeder 2025-11-21 10:54:21 -0800 Committed 303406@main (a305a458493c): <https://commits.webkit.org/303406@main> Reviewed commits have been landed. Closing PR #53734 and removing active labels. 2167511 6 bsoft 2025-12-20 00:17:53 -0800 Crashes on Safari TP 234 "exceptionReason" : {"arguments":["%s","setPrf:","0xb03edc930"],"format_string":"-[%s %s]: unrecognized selector sent to instance %p","name":"NSInvalidArgumentException","type":"objc-exception","composed_message":"-[%s setPrf:]: unrecognized selector sent to instance 0xb03edc930","class":"NSException"}, Platform authenticator PRF support is well implemented in released Safari, but not for hardware keys (HMAC over CTAP) what this pull request should essentially solve. Can be regression in Safari TP, now any request for PRF extension in await navigator.credentials.create will crash. 2167512 7 bsoft 2025-12-20 00:30:41 -0800 Such features should be clearly marked in STP release notes to require also a dedicated OS beta version, for this case where setPrf selector is available. 2167522 8 bsoft 2025-12-20 02:58:34 -0800 Tested with latest macOS Tahoe 26.3 Beta. Same issue. @pascoe@apple.com Your release process is fairly useless for such features that need proper platform support. 2170261 9 rew.islam 2026-01-08 06:58:08 -0800 I can confirm the crash on Safari TP 234 (running on 26.2 (25C56)) Process: Safari Technology Preview [97404] Path: /Applications/Safari Technology Preview.app/Contents/MacOS/Safari Technology Preview Identifier: com.apple.SafariTechnologyPreview Version: 26.0 (21624.1.6.19.3) Build Info: Safari-7624001006019003~2 Code Type: ARM-64 (Native) Role: Foreground Parent Process: launchd [1] Coalition: com.apple.SafariTechnologyPreview [47295] User ID: 502 Date/Time: 2026-01-08 15:54:50.0541 +0100 Launch Time: 2026-01-08 15:53:51.4472 +0100 Hardware Model: MacBookPro18,2 OS Version: macOS 26.2 (25C56) Release Type: User Crash Reporter Key: 7EB201A4-6F6D-1A1C-38A5-1BEB294BB4CD Incident Identifier: EC4EE0B7-84EA-4FD5-BC36-371C1E028C9F Sleep/Wake UUID: F31CC780-500F-495C-8D10-3C4317D191F7 Time Awake Since Boot: 430000 seconds Time Since Wake: 3731 seconds System Integrity Protection: enabled Triggered by Thread: 0, Dispatch Queue: com.apple.main-thread Exception Type: EXC_CRASH (SIGABRT) Exception Codes: 0x0000000000000000, 0x0000000000000000 Exception Reason: -[%s setPrf:]: unrecognized selector sent to instance 0x90845cb60 Termination Reason: Namespace SIGNAL, Code 6, Abort trap: 6 Terminating Process: Safari Technology Preview [97404] Application Specific Information: abort() called 2170576 10 rew.islam 2026-01-08 23:37:45 -0800 The above crash was produced with these steps: 1. Visit https://demo.wwwallet.org/login 2. Click "Sign Up" 3. Enter a name 4. Click "Passkey on a security key" Expected: System prompt for a security key (via CTAP) Actual: The above crash