Summary
CEF remains unable to support mainstream passkey/security-key login flows inside embedded panes, and the docs already point toward a dedicated auth-window concept as the likely escape hatch.
Why this matters
Sites that require WebAuthn force users out to the system browser, which is a real product gap for modern authentication flows.
Evidence
docs/reference/permissions.md:28-32 documents that WebAuthn is disabled in embedded CEF panes and explicitly references a future dedicated Chrome-runtime auth-window prototype.
README.md:195-197 already frames Dumber as not yet a drop-in replacement for every mainstream browser workflow.
Suggested scope
Treat this as a spike, not a commitment to immediate build-out:
- prototype the supported handoff model for WebAuthn-only flows
- identify CEF/runtime/security constraints
- decide whether the feature is CEF-only or exposed as a more generic auth escape hatch
Acceptance criteria
- The spike produces a concrete recommendation and boundary of support.
- Risks and required runtime/UI changes are documented.
- Follow-up implementation can be planned from the spike output.
Audit context
- Audit date: 2026-06-10
- Audited at commit:
5eba8fd5
Summary
CEF remains unable to support mainstream passkey/security-key login flows inside embedded panes, and the docs already point toward a dedicated auth-window concept as the likely escape hatch.
Why this matters
Sites that require WebAuthn force users out to the system browser, which is a real product gap for modern authentication flows.
Evidence
docs/reference/permissions.md:28-32documents that WebAuthn is disabled in embedded CEF panes and explicitly references a future dedicated Chrome-runtime auth-window prototype.README.md:195-197already frames Dumber as not yet a drop-in replacement for every mainstream browser workflow.Suggested scope
Treat this as a spike, not a commitment to immediate build-out:
Acceptance criteria
Audit context
5eba8fd5