timeout not working on Firefox for navigator.credentials.create() request
Categories
(Core :: DOM: Web Authentication, defect, P3)
Tracking
()
People
(Reporter: johnsmilee0611, Unassigned)
Details
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36 Edg/125.0.0.0
Steps to reproduce:
Hi, I am facing an issue with timeout implementation on navigator.credentials.create().
Trying to build an authentication using webauthn. I am doing navigator.credentials.create() upon user specific action(button-click) which then prompts dialog for user to perform biometric gesture.
I am passing timeout value in publickey credential request.
{
"challenge": "testchanllengevalue",
"rp": { "name": "test.com" },
"user": {
"id": "12345-543212-12345-54321",
"name": "NAME",
"displayName": "NAME"
},
"attestation": "direct",
"timeout": 20000,
"authenticatorSelection": {
"authenticatorAttachment": "platform",
"requireResidentKey": false,
"userVerification": "required"
},
"pubKeyCredParams": [
{ "type": "public-key", "alg": -7 },
{ "type": "public-key", "alg": -257 }
]
}
Actual results:
However, I noticed that timeout value is not honored on Firefox and dialog which is shown to user for biometric gesture stays forever.
Expected results:
It should be timeout after 20000 as my expectation
|
||
Updated•1 year ago
|
|
||
Updated•1 year ago
|
|
||
Comment 1•1 year ago
|
||
Looks like we're not passing the timeout option through to the macOS platform API. Probably because Apple didn't expose the option in the public API. But we can do something like this.
Not a security bug---the user has to interact with the document to trigger a makeCredential request, and they have the opportunity to cancel the transaction at the prompt.
Description
•