Bug 218743
| Summary: | Geolocation api breaks web authentication with Touch ID/Face ID | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Levon Karapetyan <levonkarapetyan> |
| Component: | WebKit Misc. | Assignee: | Nobody <webkit-unassigned> |
| Status: | RESOLVED WORKSFORME | ||
| Severity: | Normal | CC: | cdumez, jiewen_tan, smoley, webkit-bug-importer |
| Priority: | P2 | Keywords: | InRadar |
| Version: | Safari 14 | ||
| Hardware: | iPhone / iPad | ||
| OS: | Unspecified | ||
| See Also: | https://bugs.webkit.org/show_bug.cgi?id=181943 | ||
Levon Karapetyan
When a geolocation API is used between user click and WebAuthn call, then Safari on iOS 14 restricts Touch ID/Face ID usage.
Here is a code example:
document.getElementById("mybutton").onclick = function() {
navigator.geolocation.getCurrentPosition(register, register);
}
function register() {
var options = {...};
navigator.credentials.create({
publicKey: options
})
.then(console.log)
.catch(console.error);
}
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Radar WebKit Bug Importer
<rdar://problem/71258803>
Marcos Caceres
Tested on a physical iOS device running current iOS/WebKit (March 2026). Both the baseline (direct tap → credentials.create()) and the bug scenario (tap → geolocation.getCurrentPosition() → credentials.create() from callback) succeed — the passkey sheet appears and completes normally in both cases. This is no longer reproducible. Closing as WORKSFORME.