You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Conversations with the WebAuthn WG have lead me to believe that we did a bad job naming requireUserMediation(). It would be a good idea to consider alternatives that we could move to which would make its purpose more clear.
The credential management API's requireUserMediation() is a (perhaps
poorly-named) attempt to distinguish between a "signed-in" and a
"signed-out" user. For the latter, we need to ensure that the user is
always involved in the decision to hand over credentials. For the former,
the user agent might be able to hand over a password without asking the
user, if the user agent has gained permission to do so (via a "keep me
signed into this site" checkbox, for instance).
It seems to me that this is a pretty reasonable distinction to make at a
generic level, and that it's orthogonal to the question of whether a
specific type of credential imposes additional restrictions upon its usage.
That is, it seems reasonable to both support an RP that would accept "user
presence not required" assertion, but to interpose a prompt of some sort if
the user's signed out.
Personally, I think the real issue here is the method's name. Would you
still be concerned about the overlap it we renamed it to something like theUserTotallyJustSignedOutPleaseDontSignThemBackInWithoutAsking(). That's
absolutely on the table, given the API's current implementation/deployment
(though perhaps with a little more thought put into the naming... :) ).
theUserTotallyJustSignedOutPleaseDontSignThemBackInWithoutAsking() is pretty verbose, but signOut() might be good enough?
Conversations with the WebAuthn WG have lead me to believe that we did a bad job naming
requireUserMediation()
. It would be a good idea to consider alternatives that we could move to which would make its purpose more clear.Quoting from https://lists.w3.org/Archives/Public/public-webauthn/2017Apr/0147.html:
theUserTotallyJustSignedOutPleaseDontSignThemBackInWithoutAsking()
is pretty verbose, butsignOut()
might be good enough?WDYT, @kpaulh, @leshi, @balfanz, @battre, and @jyasskin?
The text was updated successfully, but these errors were encountered: