Oliver Hamlet
Oliver Hamlet
Fair enough. Since that CI build's artifacts have expired I'll mark this as a bug but not awaiting feedback. If Windows on ARM ever leaves its perpetual beta I might...
I've changed my mind on calling this a bug because although blocking the install isn't intentional, we don't claim to support ARM.
> Why do you think that the passkey confirmation dialog doesn't suffice as a user presence check? That part has me very confused. Oh, that's not what I meant, if...
> However, the request said to discourage user presence check. Yes, but it doesn't matter that user verification is discouraged, user presence is still required. The only variable is if...
> Just for curiosity: have you reviewed any other password manager's implementation of Passkeys? No, the only other open-source one with passkey support that I'm aware of is Bitwarden (every...
> @Ortham This assumption is false. The `origin` used in `CollectedClientData` comes from the browser's `window.location.origin` variable, not from the public key data. Unless you are using a malformed browser...
Yeah, but isn't that error coming from the RP? An attacker's RP would of course expect the fake origin.
I've dumped an example of the changes I'd like to make to the browser extension into [this commit](https://github.com/keepassxreboot/keepassxc-browser/compare/develop...Ortham:keepassxc-browser:passkey-changes). - There are still a bunch of TODOs and FIXMEs (sameOriginWithAncestors being...
If you do that then you are explicitly not compliant with the WebAuthn standard though, and by doing so you're risking introducing privacy and/or security vulnerabilities. I would not take...
> Could you elaborate what privacy and/or security vulnerabilities this method would introduce in theory? The whole idea of the extension is to pass information between KeePassXC, and trying to...