Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[[Create]] should not access the global object directly #2092

Open
nsatragno opened this issue Jul 2, 2024 · 1 comment
Open

[[Create]] should not access the global object directly #2092

nsatragno opened this issue Jul 2, 2024 · 1 comment
Assignees
Labels
@Risk Items that are at risk for L3 type:technical

Comments

@nsatragno
Copy link
Member

The [[Create]] internal method for PublicKeyCredential has the following text:

 1. If the [=relevant global object=], as determined by the calling
        {{CredentialsContainer/create()}} implementation, does not have
        [=transient activation=]:

        1. Throw a "{{NotAllowedError}}" {{DOMException}}.

    1. [=Consume user activation=] of the [=relevant global object=].

However, [[Create]] is called in parallel which means it cannot access the global object. This was pointed out for a different spec by @marcoscaceres.

I think the strange "as determined by the calling {{CredentialsContainer/create()}} implementation" may be trying to work around this issue, but consuming user activation does not have that blurb and to me that looks like underspecified behaviour. This might need some changes in credman: either we make it so internal methods can be run from the main thread, or we put this spec from webauthn directly in credman like we did for permissions policy.

@nsatragno nsatragno self-assigned this Jul 2, 2024
@nsatragno
Copy link
Member Author

@nadalin nadalin added this to the L3-WD-02 milestone Jul 17, 2024
@nadalin nadalin added the @Risk Items that are at risk for L3 label Jul 31, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
@Risk Items that are at risk for L3 type:technical
Projects
None yet
Development

No branches or pull requests

2 participants