PublicKeyCredentialCreationOptions: `attestation` and `authenticatorSelection` can be omitted(?)

[claudiodekker]

According to MDN, both the attestation and authenticatorSelection options can be omitted: https://developer.mozilla.org/en-US/docs/Web/API/CredentialsContainer/create

This seems to be backed up by the W3 spec, which states that the default for attestation is none (and as such can be implied when missing), as well as that the authenticatorSelection serves as a 'filter' of sorts that as such is also optional: https://www.w3.org/TR/webauthn/#dictdef-publickeycredentialcreationoptions

However, I'm not 100% sure on this, as the spec is fairly complex, but I think it'd be great if (when using the defaults) if this could be omitted, as to optimize the amount of data that's sent over the wire in low-bandwidth situations.

---

https://github.com/web-auth/webauthn-framework/blob/6fab042ce9e74be5642f5579da64e2893148e6d6/src/webauthn/src/PublicKeyCredentialCreationOptions.php#L210-L212

https://github.com/web-auth/webauthn-framework/blob/6fab042ce9e74be5642f5579da64e2893148e6d6/src/webauthn/src/PublicKeyCredentialCreationOptions.php#L160-L162

[Spomky]

Hi,

Many thanks for reporting this. As far as I remember, the properties are set because they are needed by the FIDO Alliance Certification Tools. I must double-check that first before changing the behavior.

[github-actions[bot]]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.