RESOLVED DUPLICATE of bug 254848248847
[WebAuthn] googleLegacyAppidSupport extension is obsolete and can be removed
https://bugs.webkit.org/show_bug.cgi?id=248847
Summary [WebAuthn] googleLegacyAppidSupport extension is obsolete and can be removed
Martin Kreichgauer
Reported 2022-12-06 17:04:46 PST
In https://bugs.webkit.org/show_bug.cgi?id=202427, WebKit added support for the non-standard googleLegacyAppidSupport WebAuthn request extension. If set by a google.com origin, this extension causes the WebAuthn API create() call to create a U2F API style credential bound to the hard-coded App ID `https://www.gstatic.com/securitykey/origins.json`, rather than a credential bound to a WebAuthn RP ID. Google.com stopped relying on this behavior several months ago. This means the googleLegacyAppidSupport extension is now obsolete and can be removed. (Here is Chromium’s change removing this extension: https://chromium-review.googlesource.com/c/chromium/src/+/3958174.) Note that google.com continues to rely on the ability to _assert_ legacy U2F/CTAP1 credentials bound to the `https://www.gstatic.com/securitykey/origins.json` U2F App ID for the foreseeable future.
Attachments
pascoe@apple.com
Comment 1 2022-12-06 19:32:18 PST
Thanks Martin.
Radar WebKit Bug Importer
Comment 2 2022-12-08 12:32:28 PST
pascoe@apple.com
Comment 3 2024-04-03 08:57:00 PDT
*** This bug has been marked as a duplicate of bug 254848 ***
Note You need to log in before you can comment on or make changes to this bug.