I think this was discussed before with mmenke@, but he's ooo: How does this feature work in cross-site iframes? What prevents the PRF from acting as a cross site identifier (are credentials usable in cross site iframes)?
Thanks, -Caleb On Monday, May 1, 2023 at 4:45:31 PM UTC-4 [email protected] wrote: > Got it, given the phrasing there was a concern that there could be a > non-standard addition to the contextual string. > This works for us and we look forward to PRF landing in Chrome. > -NS > > On Monday, May 1, 2023 at 4:22:43 PM UTC-4 Adam Langley wrote: > > On Mon, May 1, 2023 at 12:47 PM Nick Steele <[email protected]> > wrote: > > 1 Password is also supportive of this extension being added. Being able to > encrypt data alongside a credential would be useful to us and our users. > > I'd like some clarification on the contextual string being provided for > HMAC hashing. What is the expected context input being provided? > > > See https://w3c.github.io/webauthn/#prf-extension: > > > Let salt1 be the value of SHA-256(UTF8Encode("WebAuthn PRF") || 0x00 > || eval > <https://w3c.github.io/webauthn/#dom-authenticationextensionsprfinputs-eval> > .first > <https://w3c.github.io/webauthn/#dom-authenticationextensionsprfvalues-first> > ). > > So any applications with more direct access to security keys have to > opt-into being compatible with the Web by picking salts with known > pre-images via that function. Existing uses do not get abruptly exposed to > the Web via this extension. > > > Cheers > > AGL > > -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/a97bb230-0d0a-4741-86fe-6839f5269b7cn%40chromium.org.
