You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When extending the Credential internal methods in WebAuthn(w3c/webauthn#1706) and WebOTP(WICG/web-otp#57) to incorporate propagating the AbortSignal's abort reason, it was found that the algorithm wouldn't make a distinction between successful and failure return values. Hence, you could spoof successful return values as abort reason can be anything.
It was decided that it would be better to throw the abort reason instead of returning it (w3c/webauthn#1706 (comment)). This is because we don't want the WebAuth API, for example, to handle abort reason differently from other places/specs. This requires changes on the Credential Management spec side as well to match this behavior change and not break the integration. (#196)
Following on from this, we decided to throw all exceptions instead of returning them in these Credential internal methods, otherwise we'll run into the same issue when another spec extends the methods. (#196 (review))
When extending the Credential internal methods in WebAuthn(w3c/webauthn#1706) and WebOTP(WICG/web-otp#57) to incorporate propagating the AbortSignal's abort reason, it was found that the algorithm wouldn't make a distinction between successful and failure return values. Hence, you could spoof successful return values as abort reason can be anything.
It was decided that it would be better to throw the abort reason instead of returning it (w3c/webauthn#1706 (comment)). This is because we don't want the WebAuth API, for example, to handle abort reason differently from other places/specs. This requires changes on the Credential Management spec side as well to match this behavior change and not break the integration. (#196)
Following on from this, we decided to throw all exceptions instead of returning them in these Credential internal methods, otherwise we'll run into the same issue when another spec extends the methods. (#196 (review))
cc/ @nsatragno
The text was updated successfully, but these errors were encountered: