Skip to content

[audit/spike] Explore a dedicated WebAuthn auth-window path #301

Description

@bnema

Summary

CEF remains unable to support mainstream passkey/security-key login flows inside embedded panes, and the docs already point toward a dedicated auth-window concept as the likely escape hatch.

Why this matters

Sites that require WebAuthn force users out to the system browser, which is a real product gap for modern authentication flows.

Evidence

  • docs/reference/permissions.md:28-32 documents that WebAuthn is disabled in embedded CEF panes and explicitly references a future dedicated Chrome-runtime auth-window prototype.
  • README.md:195-197 already frames Dumber as not yet a drop-in replacement for every mainstream browser workflow.

Suggested scope

Treat this as a spike, not a commitment to immediate build-out:

  • prototype the supported handoff model for WebAuthn-only flows
  • identify CEF/runtime/security constraints
  • decide whether the feature is CEF-only or exposed as a more generic auth escape hatch

Acceptance criteria

  • The spike produces a concrete recommendation and boundary of support.
  • Risks and required runtime/UI changes are documented.
  • Follow-up implementation can be planned from the spike output.

Audit context

  • Audit date: 2026-06-10
  • Audited at commit: 5eba8fd5

Metadata

Metadata

Assignees

No one assigned

    Labels

    auditRaised from a structured codebase auditcefPrimarily affects the CEF backendenhancementNew feature or requesthelp wantedExtra attention is neededpriority: mediumMedium priorityspikeDesign or research spike

    Projects

    No projects

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions