Don't make PRF available in any client that is not web/browser, even if it's lying about navigator.credentials (#18687)

This commit is contained in:
Anders Åberg 2026-01-30 20:55:40 +01:00 committed by GitHub
parent 7c4ea23f88
commit 903acfa3df
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194

View File

@ -54,11 +54,12 @@ export class DefaultWebAuthnPrfUnlockService implements WebAuthnPrfUnlockService
return false;
}
// If we're in the browser extension, check if we're in a Chromium browser
if (
this.platformUtilsService.getClientType() === ClientType.Browser &&
!this.platformUtilsService.isChromium()
) {
// PRF unlock is only supported on Web and Chromium-based browser extensions
const clientType = this.platformUtilsService.getClientType();
if (clientType === ClientType.Browser && !this.platformUtilsService.isChromium()) {
return false;
}
if (clientType !== ClientType.Web && clientType !== ClientType.Browser) {
return false;
}