Open battre opened 7 years ago
Just to clarify confusion, the above scenario assumes that the stored credentials do not match server expectations (are out of date).
The repeated failed auto-sign-in is only troublesome because the user keeps seeing the notification. If I read the spec correctly, the user agent is not forced to show that notification. While it is reasonable to do so (implied also by "the notification that credentials have been provided" in https://w3c.github.io/webappsec-credential-management/#privacy-signout), perhaps this still can be throttled by the user agent?
Following on that line of thought, the user agent might certainly analyse this strange behaviour and suggest the user to delete the stored credential. I don't think we should let the page to delete credentials via a new delete() call. Even if this requires user consent, users are often happy to click without reading; deleting a credential might cause loss of access (in different situations) and perhaps be used in some attacks to replace user's credentials with attacker-controlled ones (not going to try to come up with a complete attack now).
The suggestion with requireUserMediation() + get(..."unmediated": true) sounds reasonable to me.
Other than that, I think the spec does not need to specify a solution to the repeating notification problem, because it leaves enough space to the user agent to fix this without conflicting the spec.
The spec says "User agents MUST notify users when credentials are provided to an origin." https://w3c.github.io/webappsec-credential-management/#user-mediation-requirements
Thanks, I missed that. I still think the spec allows the user agent to fix the endless loop of notifications on every navigation. For example, similar to the checkbox allowing to silence alert() calls by a page, the user agent could decide to set the origin's "require_user_mediation" flag to true if the notifications get spammy.
The spec does not give precise guidelines for dealing with failed logins.
Assume the following setup:
As a result of this, the user will be notified about a login attempt on every navigation that will always fail.
What should we do about this?
requireUserMediation()
on a failed login.navigator.credentials.get({"password": true, "unmediated": true})
on every page.navigator.credentials.get({"password": true})
on every page but introduce anavigator.credentials.delete(c)
function that tells the user "The website asked to delete the credential (probably due to a failed login). Do you want to delete it? [yes] [no]"