Closed Bug 1448408 Opened 2 years ago Closed 10 months ago
Web Authentication - Don't listen to visibility events
47 bytes, text/x-phabricator-request
|Details | Review|
The SoftU2F project  provides an authenticator in-software which works using system prompts instead of external interactions. Since Bug 1409202, WebAuthn aborts if Firefox goes into the background at all. Since going into the background is mandatory for SoftU2F, interacting with SoftU2F always causes an AbortError, rendering it unusuable. More OS-integrated mechanisms, like Windows Hello, may or may not have the same problem. We might want to be a little less strict about foreground-only?  https://github.com/github/SoftU2F
(In reply to J.C. Jones [:jcj] from comment #0) > We might want to be a little less strict about foreground-only? I just check Chrome Canary and it looks like there are no checks at all. I can launch a WebAuthn request from a background tab or a minimized window. Active requests aren't aborted when switching tabs or windows. We could possibly do something in between, i.e. allow requests to start only when the tab is selected in the active window, but don't cancel when switching tabs. Or don't cancel when switching windows? Although that still wouldn't help with bug 1445242...
Chrome does have some requirements. I think if the response from the security key comes while the window doesn't have focus it is ignored. Soft U2F tries to give focus back very quickly to work with this behavior.
(In reply to Ben Toews from comment #2) > Chrome does have some requirements. I think if the response from the > security key comes while the window doesn't have focus it is ignored. This doesn't reproduce with Canary at least. I can initiate and complete requests with Chrome in the background.
Is there anything that can be done to work around this? I was trying to switch to Firefox today from Chrome but SoftU2F does not work with it due to this bug and there has not been activity here for a very long time.
I'll be addressing this and most of the other webauthn bugs currently on-file in Q1 2019. Hopefully January, but TBD.
Component: DOM: Device Interfaces → DOM: Web Authentication
Assignee: nobody → jjones
Status: NEW → ASSIGNED
Priority: P3 → P1
Summary: Web Authentication - SoftU2F unusable due to context switch aborts → Web Authentication - Don't listen to visibility events
Pushed by email@example.com: https://hg.mozilla.org/integration/autoland/rev/f7937d3264db Web Authentication - Don't immediately abort on visibility events r=keeler
Depends on: 1534590
You need to log in before you can comment on or make changes to this bug.