> Is there additional fingerprinting risk here? I'm happy to see this move forward even if there is, but we should call it out.
The current set of capabilities does not pose such a risk (privacy review <https://chromestatus.com/feature/5128205875544064?gate=5101665930444800>). However, if any new capabilities will be added to the method that do pose a fingerprinting risk, they should undergo a blink-dev / privacy review. Also, probably it is worth to highlight the discussions about fingerprinting vectors that happened here: https://github.com/w3c/webauthn/pull/1923 On Wed, Nov 20, 2024 at 6:14 PM Alex Russell <slightly...@chromium.org> wrote: > Is there additional fingerprinting risk here? I'm happy to see this move > forward even if there is, but we should call it out. > > On Tuesday, November 19, 2024 at 9:24:50 AM UTC-8 Andrii Natiahlyi wrote: > >> Hello Mike, >> >> Thank you for your feedback. >> >> Regarding Gecko, I requested a Mozilla position on this emerging web >> specification >> <https://github.com/mozilla/standards-positions/issues/1114>. >> >> > Given that any capability can be omitted, do we expect {} to be >> conforming, however unlikely (I think yes?)? >> >> And yes, you're correct. Even though it's unlikely, we do expect an empty >> set `{}` to be conforming. >> >> Best, >> Andrii >> >> >> On Mon, Nov 18, 2024 at 7:43 PM Mike Taylor <miketa...@chromium.org> >> wrote: >> >>> On 11/14/24 9:39 AM, 'Andrii Natiahlyi' via blink-dev wrote: >>> >>> Contact emails natiah...@google.com, a...@google.com >>> >>> Explainer None >>> >>> Specification https://w3c.github.io/webauthn/#sctn-getClientCapabilities >>> >>> Summary >>> >>> getClientCapabilities() method allows to determine which WebAuthn >>> features are supported by the user's client. The method returns a list of >>> supported capabilities, allowing developers to tailor authentication >>> experiences and workflows based on the client's specific functionality. >>> >>> >>> Blink component Blink>WebAuthentication >>> <https://bugs.chromium.org/p/chromium/issues/list?q=component:Blink%3EWebAuthentication> >>> >>> TAG review None >>> >>> It may be useful to send a non-blocking/FYI review here, since this is a >>> flavor of feature detection. >>> >>> >>> TAG review status Not applicable >>> >>> Risks >>> >>> >>> Interoperability and Compatibility >>> >>> None >>> >>> >>> *Gecko*: No signal >>> >>> Can we ask for one? >>> >>> >>> *WebKit*: Shipped/Shipping ( >>> https://developer.apple.com/documentation/safari-release-notes/safari-17_4-release-notes#WebAuthn >>> ) >>> >>> *Web developers*: No signals >>> >>> *Other signals*: >>> >>> WebView application risks >>> >>> Does this intent deprecate or change behavior of existing APIs, such >>> that it has potentially high risk for Android WebView-based applications? >>> >>> None >>> >>> >>> Debuggability >>> >>> None >>> >>> This should probably be N/A - DevTools doesn't need anything special >>> here. >>> >>> >>> >>> Will this feature be supported on all six Blink platforms (Windows, Mac, >>> Linux, ChromeOS, Android, and Android WebView)? Yes >>> >>> Is this feature fully tested by web-platform-tests >>> <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md> >>> ? Yes >>> >>> https://wpt.fyi/results/webauthn/getclientcapabilities.https.html >>> >>> Given that any capability can be omitted, do we expect {} to be >>> conforming, however unlikely (I think yes?)? >>> >>> >>> >>> DevTrial instructions >>> https://docs.google.com/document/d/e/2PACX-1vR3yUwIFZ0LbKpJ6J4GBamP-IrBgkal3arJ_CZLbRZwBDhFTZpdpVYMsPuvB6Mjnl0heE-6r9wE7Sfw/pub >>> >>> Flag name on about://flags enable-experimental-web-platform-features >>> >>> Finch feature name WebAuthenticationClientCapabilities >>> >>> Requires code in //chrome? False >>> >>> Tracking bug https://g-issues.chromium.org/issues/360327828 >>> >>> Availability expectation Safari has shipped an implementation already. >>> >>> Estimated milestones >>> Shipping on desktop 133 >>> DevTrial on desktop 131 >>> Shipping on Android 133 >>> DevTrial on Android 131 >>> Shipping on WebView 133 >>> >>> Anticipated spec changes >>> >>> Open questions about a feature may be a source of future web compat or >>> interop issues. Please list open issues (e.g. links to known github issues >>> in the project for the feature specification) whose resolution may >>> introduce web compat/interop risk (e.g., changing to naming or structure of >>> the API in a non-backward-compatible way). >>> None >>> >>> Link to entry on the Chrome Platform Status >>> https://chromestatus.com/feature/5128205875544064?gate=5206408640069632 >>> >>> Links to previous Intent discussions Intent to Prototype: >>> https://groups.google.com/a/chromium.org/g/blink-dev/c/Wb8VjXe_zT8 >>> Ready for Trial: >>> https://groups.google.com/a/chromium.org/g/blink-dev/c/YTkGIdlQMAw >>> >>> >>> This intent message was generated by Chrome Platform Status >>> <https://chromestatus.com/>. >>> >>> -- >>> >>> Andrii Natiahlyi >>> >>> Software Engineer >>> >>> natiah...@google.com >>> >>> Google Germany GmbH >>> >>> Erika-Mann-Straße 33 >>> >>> 80636 München >>> >>> Geschäftsführer: Paul Manicle, Liana Sebastian >>> >>> Registergericht und -nummer: Hamburg, HRB 86891 >>> >>> Sitz der Gesellschaft: Hamburg >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "blink-dev" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to blink-dev+unsubscr...@chromium.org. >>> To view this discussion visit >>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAMrd0vy9wGn_fEQ4e9mX87cgz_jReJw7zOhbTrDweKARCUwyRw%40mail.gmail.com >>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAMrd0vy9wGn_fEQ4e9mX87cgz_jReJw7zOhbTrDweKARCUwyRw%40mail.gmail.com?utm_medium=email&utm_source=footer> >>> . >>> >>> -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAMrd0vyoiVneMoaMOi2xBzp1hPDRLVHV%3DdMVjTTVJqwXsYKTQA%40mail.gmail.com.