webauthn
webauthn copied to clipboard
w3c
add feature detection blurb...
..pointing back to credman's section 7.1. Website Authors, which briefly & explicitly explains that trying to use if (!navigator.credentials) ... is suboptimal for feature detection, rather if (!window.PublicKeyCredential) ... ought be used. [the examples in webauthn already use the latter as feature detection, so they are already good]
In webauthn-json (which is the library we're using in the GitHub codebase itself), we're using this:
export function supported(): boolean {
return !!(navigator.credentials && navigator.credentials.create && navigator.credentials.get && window.PublicKeyCredential);
}
(https://github.com/github/webauthn-json/blob/61dfd2b004316f5ebc096dfd2ac0576318bfdee7/src/webauthn.ts#L28-L30)
Is that still the "recommended" way to detect support for security key operations?
technically, according to credman's section 7.1. Website Authors, one only needs to check for window.<necessary-credential-type>, however I'm not a JS & client-side-dev expert. AFAIK, a user agent would need to implement all the things you're checking for in order to support "just" PublicKeyCredential so your thorough check ought to work correctly across various partial impls of crendential management?
Yeah, we had some issues with https://github.com/brave/brave-ios when we were trying to detect features we thought were needed for WebAuthn compat. Testing the recommended value + the functions that we'll need to call seemed like the best way to check that things will work as expected.
