Joshua Zhao
Joshua Zhao
> In my experience, browser clients filter out extensions that they do not recognised and will not pass them along to authenticators. I'm not arguing for or against the idea,...
> > This is not a spec concern as the spec does not dictate that clients filter extensions. > > Each client and user agent has their own security and...
> > It _could_ be a spec concern, if the spec were to say that a client MUST NOT filter out extensions it does not recognise. Of course it doesn't...
Thank @emlun for sharing the background behind this issue! Very helpful for someone like me who is familiar with WebAuthn in general but not so much in its detailed history....
> Browsers also cannot make any guarantees to their users about the privacy & security of WebAuthn if they allow unvetted extensions. > > > If browser vendors ignore what's...
> Unvetted extensions are not the right path as privacy and security of WebAuthn can be harmed with this approach. If people want certain functionality to be included in WebAuthn,...