Issue 901589 link

Starred by 3 users

Issue metadata

Status:	Assigned
Owner:	kpaulhamus@chromium.org
Cc:	swarnasree.mukkala@chromium.org kenrb@chromium.org martinkr@google.com engedy@chromium.org ssoneff@google.com kpaulhamus@chromium.org jdoerrie@chromium.org mknowles@chromium.org
Components:	Blink>SecurityFeature>CredentialManagement Blink>WebAuthentication
EstimatedDays:	----
NextAction:	----
OS:	Mac
Pri:	2
Type:	Bug-Regression
Needs-Feedback Needs-Bisect Via-Wizard-API Triaged-ET Needs-Triage-M70

WebAuthn Silent Failure On Bad User Icon Value

Reported by dsander...@ucsbalum.com, Nov 3

Issue description

UserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36

Steps to reproduce the problem:
1. Invoke `navigator.credentials.create` with the user's dict including the `icon` key, but with value `null`

What is the expected behavior?
Either successfully initiating the credentials registration process, or an error if `null` is not an allowed value.

What went wrong?
The UI says it is initiating the credentials registration process and says to plug in an authenticator, but the authenticator never activates even if plugged in. As such it's a silent failure, there's no errors in the console, and the UI suggests that everything is working as expected, but you can't complete the process.

Did this work before? Yes 68

Does this work in other browsers? N/A

Chrome version: 70.0.3538.77  Channel: stable
OS Version: OS X 10.14.1
Flash Version: 

This used to work in older versions of Chromium, definitely in 68. I don't think that `null` for the `icon` key is valid under the spec, but providing a bad value shouldn't lead to a silent failure, it should have a hard error.

Comment 1 by susan.boorgula@chromium.org, Nov 4

Labels: Needs-Bisect Needs-Triage-M70

Comment 2 by swarnasree.mukkala@chromium.org, Nov 5

Cc: swarnasree.mukkala@chromium.org
Labels: Needs-Feedback Triaged-ET

Thanks for filing the issue...

@reporter: Could you please provide a sample file or URL that reproduces the issue, so that it would be really helpful for triaging the issue.

Comment 3 by pauljensen@chromium.org, Nov 5

Components: Blink>WebAuthentication Blink>SecurityFeature>CredentialManagement

Comment 4 by kpaulhamus@chromium.org, Nov 5

Hi, can you also add which authenticator you are using?

Off the top of my head - one primary difference between 68 and 70 is that now Chrome will use the CTAP2 protocol if the authenticator supports it, and in this protocol the icon value is passed all the way through to the authenticator. If you're using a CTAP2-enabled authenticator, then it's possible that the authenticator itself is choking on the 'null' value. 

Will take a closer look.

Comment 5 by jochen@chromium.org, Nov 8

Owner: kpaulhamus@chromium.org
Status: Assigned (was: Unconfirmed)

Comment 6 by dsander...@ucsbalum.com, Nov 17

@kpaulhamus, I'm using a Yubico Security Key: https://www.yubico.com/product/security-key-by-yubico/

It's the version with the 2 on it, which says it supports FIDO2 so I believe that means CTAP2.

The authenticator choking on it would explain why the UI looks like the normal process but the authenticator doesn't light up.

►

Issue 901589 link

Issue metadata

WebAuthn Silent Failure On Bad User Icon Value

Issue description

Comment 1 by susan.boorgula@chromium.org, Nov 4

Comment 1 Deleted

Comment 2 by swarnasree.mukkala@chromium.org, Nov 5

Comment 2 Deleted

Comment 3 by pauljensen@chromium.org, Nov 5

Comment 3 Deleted

Comment 4 by kpaulhamus@chromium.org, Nov 5

Comment 4 Deleted

Comment 5 by jochen@chromium.org, Nov 8

Comment 5 Deleted

Comment 6 by dsander...@ucsbalum.com, Nov 17

Comment 6 Deleted

Sign in to add a comment