New issue
Advanced search Search tips

Issue 618654 link

Starred by 1 user

Issue metadata

Status: WontFix
Owner: ----
Closed: Jun 2016
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 3
Type: Bug



Sign in to add a comment

U2F support requires window focus.

Reported by johan.ve...@gmail.com, Jun 9 2016

Issue description

Chrome Version       : Version 51.0.2704.84 m
URLs (if applicable) : 
      https://myaccount.google.com/security/signinoptions/two-step-verification
      https://u2fdemo.appspot.com/
      https://demo.yubico.com/u2f

No other browsers tested since they do not support U2F at this time.

What steps will reproduce the problem?
(1) Start a registration
(2) Focus another window (not chrome).
(3) Enable the Authenticator

What is the expected result?

The Authenticator is found and the registration/login succeeds.

What happens instead?

The Authenticator is found, the request is passed to the Authenticator and processed but the webpage never sees the reply and times out.

Refocusing the Chrome windows does not help, the registration has to be started again.


 
Status: WontFix (was: Unconfirmed)
This is by design. In order to protect users' privacy, we do not wish background tabs or embedded iframes from an origin other than the outer frame's origin to be able to register a new U2F key. U2F registration yields a strong identifier for the user on the origin that gets the registration data, namely, a public key and key handle. We wish to ensure the user has given direct, informed consent of that operation. See FIDO's Privacy Principle #1:

"Require explicit, informed user consent for any operation using personal data

This includes collection and use of personal, identifiable data during registration, user verification, and transaction confirmation."

https://fidoalliance.org/assets/images/general/FIDO_Alliance_Whitepaper_Privacy_Principles.pdf

When a registration is allowed from a background tab, the user can't know which tab is requesting access, and the consent cannot be considered informed. As a result, registration from background tabs is not allowed.
HI Juan,

I understand the reasoning and you have a point.

However, I see two issues with the current behavior:

1) chrome fails silently and lets the attempt time out. this is an issue, either because the user can't do what he expects to do and doesn't understand why or because a background tab tried a protected action and the user is not warned about it.

2) the action is still performed. Why doesn't chrome abort it as soon as the tab leaves focus?

Out of curiosity, why is a displayed foreground tab that just doesn't have window focus considered a background tab?

Sign in to add a comment