[Question, Web dev] Best way for detecting U2F in Web pages

[My1]

I am writing a site that also should work with U2F but there's one important question.

what is the best way to detect U2F functionality for both chrome and users of addons for other browsers?

[KellerFuchs]

@My1 Test if window.u2f (or window.u2f.register ?) exist. Cf. https://fidoalliance.org/specs/fido-u2f-v1.0-nfc-bt-amendment-20150514/fido-u2f-javascript-api.html#high-level-javascript-api

[My1]

thanks, but last time I tried it certainly didnt work.

[prefiks]

Hm, if (typeof window.u2f !== "undefined") returns true then it must have some value set right?

[My1]

yes but for internet explorer (bottom right) it should not be true, I dont think IE does U2F

[prefiks]

Ah interesting, could you see what value it typeof returns for it in IE instead checking if it's not undefined? Also doesn't that script you are loading is defining it by chance (if it's compatibility shim for chrome then i am pretty sure it does that)?

[My1]

well I used the yubico documentation to do U2F and they said

"Client-side This section assumes that you are building a web site. If this is not the case, have a look at our U2F host libraries instead. Also note that Chrome is currently the only web browser supporting U2F. The main part of the client is to be a middle-man between the server and the U2F device. The easiest way to use U2F in a supported browser is to use the u2f-api.js library, which exposes two functions: u2f.register Register using a U2F device. u2f.sign Authenticate using a U2F device. "

https://developers.yubico.com/U2F/Libraries/Using_a_library.html

so at least the text pretty much assumes that the api (or something similar) is needed to expose those fuctions

If I dont load the api prior to checking, a plugged firefox says true but everyone else (including chrome) says false.

[prefiks]

Chrome does expose u2f functionality as extension messaging port, and what that js code does is implement window.u2f.register/sign functions by sending/receiving messages from that port. This firefox extension just makes window.u2f.register/sign always available.

So you check probably should work by checking if window.u2f exists before loading that script, if it's here you good to go, if not check if it's Chrome and you should be good as well (you could also check for browser version in this situation to see if it's one that should have it).

[My1]

but if a browser goes for a chrome similar approach (it might just be a fork of it) then it wont work which is a bit sad because it needs to stay updated. and that user agent isnt reliable is pretty obvious considering that all browsers have mozilla in their agents to circumvent useragent-based browser switches

[prefiks]

Well there is no real solution for having 100% sure way to be forward compatible, and i doubt that other browsers will implement interface that is compatible with what Chrome does (this will require having message port exposed as window.chrome.extension., and have lot more code that chrome has for extension managing).

[My1]

okay. it is a bit sad the the there isnt some kind of "featureset" array set by the browser and read-only where any js software can check whether feature x is available.

it would be intresting to know how github did it but when I checked some months agoI couldnt make much sense of their code, honestly.