Bug 230893

rdar://79781342

Created attachment 439479 [details]
Patch

<rdar://problem/83887873>

Created attachment 440855 [details]
Patch

Created attachment 441008 [details]
Patch

Created attachment 441122 [details]
Patch

Created attachment 441139 [details]
Patch

Created attachment 441167 [details]
Patch

Comment on attachment 441167 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=441167&action=review

> LayoutTests/ChangeLog:10
> +        in the WebAuthn layout tests.

Are any of these WebKit-specific tests covered by WPT tests?

> LayoutTests/http/wpt/webauthn/ctap-hid-success.https.html:-1
> -<!DOCTYPE html><!-- webkit-test-runner [ WebAuthenticationModernEnabled=true ] -->

Did you intend to deactivate the modern WebAuthn stuff in all of these tests? That seems unexpected for this patch.

Can you explain in what cases sites need to use these credentials without a user gesture? There's is a tangible risk of allowing instant access to credentials.

I remember being part of the discussion on why we added a user gesture requirement.

Credentials can never be used without a user gesture (up=0, without user presence). This is for presenting the modal dialog where you can chose to select a key / insert an authenticator, after a given credential is chosen, there is still a test of user presence. Currently we require a user gesture to present this dialog, but you get a free try without it if you are Dropbox, Microsoft, Google, Twitter, or Facebook. 

The worry is about websites spamming modal dialogs to prevent users from changing tabs, etc. Unfortunately there's no pre-existing case of a webkit-only non-modal dialog for MacOS that I can find (even mini browser stuff uses NSAlert.)

(In reply to j_pascoe@apple.com from comment #12)
> Credentials can never be used without a user gesture (up=0, without user
> presence). This is for presenting the modal dialog where you can chose to
> select a key / insert an authenticator, after a given credential is chosen,
> there is still a test of user presence. Currently we require a user gesture
> to present this dialog, but you get a free try without it if you are
> Dropbox, Microsoft, Google, Twitter, or Facebook. 
> 
> The worry is about websites spamming modal dialogs to prevent users from
> changing tabs, etc. Unfortunately there's no pre-existing case of a
> webkit-only non-modal dialog for MacOS that I can find (even mini browser
> stuff uses NSAlert.)

Thanks! Please rename the bug to make it clear in which context the user gesture requirement will be relaxed.

Regarding user presence. We need to make that clear too. A user can be present but passively so, right? I want to avoid drive-by redirects that can pick up credentials. We already have that problem with cookies which is a multi-year project to rein in.

User presence in the context of WebAuthn is defined as "A test of user presence is a simple form of authorization gesture and technical process where a user interacts with an authenticator by (typically) simply touching it (other modalities may also exist), yielding a Boolean result." with an authorization gesture defined as "a physical interaction performed by a user with an authenticator as part of a ceremony, such as registration or authentication. By making such an authorization gesture, a user provides consent for (i.e., authorizes) a ceremony to proceed." 

So the case of a user passively present would not count. In the platform authenticator case with Face ID for example, a dialog is presented asking if it's okay for the website to use Face ID, hitting yes here is the test of user presence.

This bug refers to changing the behavior of what is required to present that dialog asking if its okay in the first place as its modal on iOS for example and if a site was able to spam it, they would not be able to change tabs or otherwise exit the website. Currently, we require a user gesture on the call to navigator.credentials.create() or navigator.credentials.get() as a way to prevent this. Unfortunately, few rps perform their call to navigator.credentials.create() or navigator.credentials.get() with a user gesture, leading to WebAuthn not working at all in most cases.

As a compromise, currently we allow one free use of navigator.credentials.create() or navigator.credentials.get() without an user gesture to present the Webauthn panel if the request comes from a short list of popular websites (Dropbox, Microsoft, Google, Twitter, or Facebook.) 

This bug is to change the current behavior to give all sites one freebie use of navigator.credentials.create() or navigator.credentials.get() to present the modal ui without an user gesture. Then if another call is made without a gesture, the user will be required to hit allow on a non-modal, pre-dialog to the current dialogs asking the user if they want to use WebAuthn.

Also, of note is that there is rumblings of adding non-modal ui for Webauthn to the spec in level 3 here: https://github.com/w3c/webauthn/issues/1545

Created attachment 445782 [details]
Patch

Created attachment 445893 [details]
Patch

Created attachment 446201 [details]
Patch

Comment on attachment 446201 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=446201&action=review

lgtm. r+

> Source/WebKit/UIProcess/API/C/WKPageUIClient.h:1698
> +    WKPageRequestWebAuthenticationNoGestureCallback                   requestWebAuthenticationNoGesture;

Nit: Missing two spaces in front of requestWebAuthenticationNoGesture.

Created attachment 446411 [details]
Patch

Thank you for the review, addressed comments.

Comment on attachment 446411 [details]
Patch

r=me

Committed r286785 (245026@main): <https://commits.webkit.org/245026@main>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 446411 [details].