Open
Bug 1451111
Opened 6 years ago
Updated 8 months ago
navigator.credentials.get is not respecting `allowCredentials` for filtering out authenticators
Categories
(Core :: DOM: Web Authentication, defect, P2)
Core
DOM: Web Authentication
Tracking
()
UNCONFIRMED
People
(Reporter: nightofthescorpion, Unassigned)
References
Details
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36 Steps to reproduce: 1. Use a Yubikey and Github SoftU2F 2. Register a Yubikey credential with `navigator.credentials.create` 3. Start an auth ceremony with `navigator.credentials.get` and pass in the stored credential ID in `allowCredentials` !4. Both the Yubikey and SoftU2F flash for an auth ceremony. Actual results: Both the Yubikey and SoftU2F flash for an auth ceremony. Expected results: As per the spec I would expect only the Yubikey to be requested for an auth ceremony, but both/all authenticators are requested. https://w3c.github.io/webauthn/#discover-from-external-source Attempting to interact with the SoftU2F token fails due to Bug 1448408 and aborts the auth ceremony entirely.
Reporter | ||
Comment 1•6 years ago
|
||
This behavior is apparent at https://webauthn.bin.coffee/, which appears to use `allowCredentials` for credential filtering.
I'm not 100% sure if this is the right component, so please correct if needed. Thanks.
Component: Untriaged → Security
Updated•4 years ago
|
Component: Security → DOM: Web Authentication
Product: Firefox → Core
Updated•2 years ago
|
Severity: normal → S3
Updated•2 years ago
|
Priority: -- → P2
Updated•1 year ago
|
Depends on: enable-ctap2
Updated•8 months ago
|
You need to log in
before you can comment on or make changes to this bug.
Description
•