IOS 15: WebAuthn catches error but still prompts user - javascript

The registration process with WebAuthn on IOS works fine and expected. As we use the same code on both android and ios, we dont use discoverable credentials, but instead saves the credential-id in a cookie. If an user deletes his cookie, we can not see if the user has registered previously without prompting the user for registration again. This is okay, and if we get an InvalidStateError (because the user is already registered) we let the user think he has registered again, and just creates a new cookie.
The problem is: When the navigator.credentials.create() is called, the InvalidStateError is catched immideately, before the user have time to do anything about the faceID prompt which shows. When the InvalidStateError is caught, the Registration Completed page shows. This means the completed page is shown behind the face-id prompt, which is very confusing for the user. How can the registration be completed if the face-id prompt is not finished?
On Windows, the error is not thrown before the user has completed the faceid prompt, which means the registration-process is experienced exactly as a first-time registration.
Is it a bug that the prompt is shown after the error is thrown? Any tips to how i can work around this? If this is not the right forum to ask - where is a better place?
Best regards, Nina

Is it a bug that the prompt is shown after the error is thrown? Any tips to how i can work around this? If this is not the right forum to ask - where is a better place?
This feels like a bug in WebKit. My recommendation is to submit a bug report over at https://bugs.webkit.org/. If you can, include a video showing the issue using iOS' screen recorder; it'll probably be impossible to capture a screenshot mid-registration because in my experience iOS dismisses the Face ID prompt if you try to take one.

Related

Java Applets - Application/Publisher Show 'Unknown' for Signed Applet On Javascript->Java Calls

Our product is running into an issue specific to Java 8. Java 6/7 runs fine.
We have a package of Java applets that multiple customers use, so the domain this package is deployed to is always different. The package is properly signed with the certificate from Verisign.
When the end user launches a page in the browser, the expected dialog with our application name and publisher appears, and asks the end user to accept the security warning. The end user accepts and clicks 'Do not ask again' and the page runs fine.
The trouble starts with pages that make Javascript calls into the Java applets. The behavior appears to be random. New security popups appear, asking the end user to accept the certificate again. My understanding is that once the user selects the certificate initially, this should not happen again. Yet it does.
Then also sometimes the popup appears with the application name and publisher set to UNKNOWN. There does not seem to be any reason for this, the applet package is confirmed to be signed correctly and with a valid certificate from Verisign. Yet, it occurs.
I recognize the initial popup is unavoidable but all of these downstream popups, especially those where the application/publisher are UNKNOWN don't make sense to me, and I'm not sure how to debug this further. The java console trace logs do not clearly show any more details.
Any ideas? Please feel free to ask me more detail if there is something here unclear.

Script to automatically submit form in any browser

Note: I could not think words for this question to search in Google. That's why asking my question. Please bear with me.
I have internet subscription of xyz company and it's login based connection. But what happens is that sometimes login screen reappears and is asking for password. I have already stored user name and password in web page but I have to click on login button to relogin again.
Can I have any script written for this login page that whenever internet connection goes and asks for relogin again, script automatically submit form and get connected with internet?
You're looking for content scripts. There is no cross-browser way to inject code into a web page, but each major browser has a well documented way to do it:
Firefox
Chrome
Internet Explorer
Technically you could also write a script that sniffs HTTP requests using a tool like Wireshark and posts form data whenever it detects the page is displayed, but that doesn't seem like a great solution.

Chromecast window.location.reload(true) throws undefined

A few months ago while developing application for Chromecast and Android devices I have used
window.location.reload(true)
a lot. It was used to reload JavaScript and images in Receiver.
Recently I got back to develop app and now when I use this command, I get undefined in console. Nothing reloads, Sender still can communicate with Receiver. I launch this command again and then, debug is detached, Chromecast crashes and it needs to be reloaded...After it reloads, I launch Sender which launches Receiver and still cache is not cleared. So I use command again and it works. But only one time. Second time, the same situation.
Any ideas what is wrong?
My Chromecast uses 220620 firmware version.
EDIT
Further investigation. Problem appears when I don't do anything for some time, for instance 50 seconds. If I do it right away or in a few seconds, it's OK.
Maybe it could be the timeout when debugging. Try to add the following in your js:
castReceiverManager.start({maxInactivity: 600});
And that will wait 10 minutes.
I was reading this question again, and I should say that what I use the most is to just hit F5 on devtools. Also make sure you have the option "Disable cache (while DevTools is open)" enable for better results.

Browser Close event in IE 7 and IE 8

I know there are many posts in the forum on browser close event. But still thought of posting it. How do I get to fire the onbeforeunload event correctly all the time. As I see, in some client browser it works and in some it does not.
When I used the onbeforeunload event, I used to get IE warning, saying do you want to run ActiveX scripts. To avoid that I used the following code
<!--doctype html>
<!-- saved from url=(0014)about:internet -->
Can anyone let me know the standard method to be used. All I need to do is when user closes the browser without clicking on sign out button, I need to update the logout field in DB for that users login entry
Any help is appreciated.
That's not a reliable (or safe) way to end an authenticated user's session.
What if they don't close the browser? The user is still logged in and
if someone else uses that browser they could use that session?
What if a user opens multiple tabs then closes one of them? They
would be logged out incorrectly.
The correct way to end an authentication session is to let it expire after several minutes of inactivity. On each new request you reset the timer and, independently, a recurrent service/process ends those sessions that have exceeded the activity timeout.

Javascript Confirm method Kills my session data on Safari 5.0.2

There is something seriously wrong here. I am about a 100% sure the confirm method is causing serious issues with sessions on Safari. The confirm prompt basically asks the user to make sure he/she wants to go through with an action before pulling off a Jquery POST. This works fine on every other browser, but on Safari the users session data gets deleted and they get logged out upon refreshing the page. I removed the method and everything is back to normal. Has anyone experienced this before? Very strange... shakes fist at apple
Edit: I tried using Jqueries Dialog widget and I am experiencing the same issues. What do you think is going on?
Edit2: For those who are curious, the alert doesn't wipe out the session data, it just brings the control back to the client end therefore the browser isn't really in touch with its server side. This comment explains it best:
You have to be mindful of where your code is running when you are
using ASP.NET. In your example, since you are using the Session
object, you are running on the server. Your web server has no way of
popping up an alert dialog on the user's machine. Instead, it has to
write JavaScript code to the client, which can then execute this code
and give the user an alert. So, you need to change your approach. If
you need the alert, you will need to feed the information to the
client, and have the entire check take place there, in which case you
lose access to your session variable (stored on the server), so the
only comparison you will be able to do is based on something on that
form or else something that you write out to the client machine.
Reference: http://www.velocityreviews.com/forums/t65880-javascript-alert-function.html
It's ridiculous to see that Safari does not automatically handle this situation like it's counterparts.
Edit3: More proof! A quick google search revealed lots of people on Safari have complaints about getting signed out of facebook randomly. Facebook also has pop up balloon warnings that notify you about important instances such as walking away from a half written message. I get logged out every time that balloon warns me! It's like a tough bouncer for Safari. What is going on here?
Okay, here's the solution, if you are running Safari 5.0.5 UPDATE NOW! 5.0.5 is junk. Call this a coincidence but for me this has reenforced the age long cliche about Apples inability to develop good software.

Categories

Resources