258642 – [WebAuthn] invoking modal UI after canceling conditional UI results in loss of user activated event

Bug 258642 - [WebAuthn] invoking modal UI after canceling conditional UI results in loss of user activated event

Summary: [WebAuthn] invoking modal UI after canceling conditional UI results in loss o...

Status:	NEW

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	New Bugs (show other bugs)
Version:	WebKit Nightly Build
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Nobody

URL:
Keywords:	InRadar

Depends on:
Blocks:

Reported:	2023-06-28 13:17 PDT by sweeden
Modified:	2023-07-05 13:18 PDT (History)
CC List:	5 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description sweeden 2023-06-28 13:17:36 PDT

Consider the following scenario:

1. On page load, navigator.credentials.get is called for autofill UI with mediation: "conditional". An appropriate abortController is established.
2. The page also contains a "Sign in with passkey" button, which the user presses.
3. In the onclick handler for the button, the abortController.abort() is called.
4. Either using async/await, or by using the catch() handler of the call to to conditional mediation call to navigator.credentials.get, we wait for the abort to complete, then try to invoke the modal version of navigator.credentials.get.
5. At this point a permissions warning is shown "This web page is trying to ask you to sign in using a passkey or security key. Do you want to allow this?" Don't Allow / Allow. 

The bug is that the warning in step 5 above should not be shown because there was a user activated event (the push of the "Sign in with a passkey" button) however the async canceling of the autofill call seems to consume it.

Comment 1 Radar WebKit Bug Importer 2023-07-05 13:18:16 PDT

<rdar://problem/111805589>