w3c / webauthn

Web Authentication: An API for accessing Public Key Credentials
https://w3c.github.io/webauthn/
Other
1.19k stars 178 forks source link

Clarify behaviour of duplicate hints #2135

Closed emlun closed 2 months ago

emlun commented 2 months ago

§5.8.8. User-agent Hints Enumeration (enum PublicKeyCredentialHints) defines some behaviour for how hints are interpreted relative to each other:

Hints are provided in order of decreasing preference so, if two hints are contradictory, the first one controls. Hints may also overlap: if a more-specific hint is defined a Relying Party may still wish to send less specific ones for user-agents that may not recognise the more specific one.

But there's nothing explicit about what happens if a hint appears more than once:

{ hints: ["security-key", "client-device", "security-key"] }

A particularly adversarial reader could read this example as:

  1. "security-key" is preferred over "client-device",
  2. "client-device" is preferred over "security-key",
  3. therefore the the preference order is not well defined!

Perhaps more likely is that implementation bugs could inadvertently end up with that kind of logic if the implementation does not take care to check whether or not a hint has already been encountered.

Proposed Change

Add to §5.8.8. User-agent Hints Enumeration (enum PublicKeyCredentialHints):

If the same hint appears more than once, its second and later appearences are ignored.

timcappalli commented 2 months ago

Add to §5.8.8. User-agent Hints Enumeration (enum PublicKeyCredentialHints):

If the same hint appears more than once, its second and later appearences are ignored.

SGTM