device/fido/features.h - chromium/src - Git at Google

 // Copyright 2018 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.

 #ifndef DEVICE_FIDO_FEATURES_H_
 #define DEVICE_FIDO_FEATURES_H_

 #include "base/component_export.h"
 #include "base/feature_list.h"
 #include "base/metrics/field_trial_params.h"
 #include "build/build_config.h"
 #include "build/chromeos_buildflags.h"

 namespace device {

 #if BUILDFLAG(IS_WIN)
 // Controls whether on Windows, U2F/CTAP2 requests are forwarded to the
 // native WebAuthentication API, where available.
 COMPONENT_EXPORT(DEVICE_FIDO) BASE_DECLARE_FEATURE(kWebAuthUseNativeWinApi);
 #endif  // BUILDFLAG(IS_WIN)

 // Support the caBLE extension in assertion requests from any origin.
 COMPONENT_EXPORT(DEVICE_FIDO)
 BASE_DECLARE_FEATURE(kWebAuthCableExtensionAnywhere);

 // Feature flag for the Google-internal
 // `WebAuthenticationAllowGoogleCorpRemoteRequestProxying` enterprise policy.
 COMPONENT_EXPORT(DEVICE_FIDO)
 BASE_DECLARE_FEATURE(kWebAuthnGoogleCorpRemoteDesktopClientPrivilege);

 #if BUILDFLAG(IS_ANDROID)
 // Use the Android 14 Credential Manager API.
 COMPONENT_EXPORT(DEVICE_FIDO)
 BASE_DECLARE_FEATURE(kWebAuthnAndroidCredMan);

 // Use the Android 14 Credential Manager API for credentials stored in Gmscore.
 COMPONENT_EXPORT(DEVICE_FIDO)
 inline constexpr base::FeatureParam<bool> kWebAuthnAndroidGpmInCredMan{
     &kWebAuthnAndroidCredMan, "gpm_in_cred_man", false};

 // Use the Android 14 Credential Manager API for hybrid requests.
 COMPONENT_EXPORT(DEVICE_FIDO)
 BASE_DECLARE_FEATURE(kWebAuthnAndroidCredManForHybrid);
 #endif  // BUILDFLAG(IS_ANDROID)

 // Advertise hybrid prelinking on Android even if the app doesn't have
 // notifications permission.
 COMPONENT_EXPORT(DEVICE_FIDO)
 BASE_DECLARE_FEATURE(kWebAuthnHybridLinkWithoutNotifications);

 // Require up-to-date JSON formatting in remote-desktop contexts.
 COMPONENT_EXPORT(DEVICE_FIDO)
 BASE_DECLARE_FEATURE(kWebAuthnRequireUpToDateJSONForRemoteDesktop);

 // Enable support for iCloud Keychain
 COMPONENT_EXPORT(DEVICE_FIDO)
 BASE_DECLARE_FEATURE(kWebAuthnICloudKeychain);

 // These five feature flags control whether iCloud Keychain is the default
 // mechanism for platform credential creation in different situations.
 // "Active" means that the user is an active user of the profile authenticator,
 // defined by having used it in the past 31 days. "Drive" means that the user
 // is currently signed into iCloud Drive, which isn't iCloud Keychain
 // (what's needed), but the cloest approximation that we can detect.

 COMPONENT_EXPORT(DEVICE_FIDO)
 BASE_DECLARE_FEATURE(kWebAuthnICloudKeychainForGoogle);
 COMPONENT_EXPORT(DEVICE_FIDO)
 BASE_DECLARE_FEATURE(kWebAuthnICloudKeychainForActiveWithDrive);
 COMPONENT_EXPORT(DEVICE_FIDO)
 BASE_DECLARE_FEATURE(kWebAuthnICloudKeychainForActiveWithoutDrive);
 COMPONENT_EXPORT(DEVICE_FIDO)
 BASE_DECLARE_FEATURE(kWebAuthnICloudKeychainForInactiveWithDrive);
 COMPONENT_EXPORT(DEVICE_FIDO)
 BASE_DECLARE_FEATURE(kWebAuthnICloudKeychainForInactiveWithoutDrive);

 // Enable new hybrid UI
 COMPONENT_EXPORT(DEVICE_FIDO)
 BASE_DECLARE_FEATURE(kWebAuthnNewHybridUI);

 // Don't show the single-account sheet on macOS if Touch ID is available.
 COMPONENT_EXPORT(DEVICE_FIDO)
 BASE_DECLARE_FEATURE(kWebAuthnSkipSingleAccountMacOS);

 // Allow sites to opt into experimenting with conditional UI presentations.
 COMPONENT_EXPORT(DEVICE_FIDO)
 BASE_DECLARE_FEATURE(kWebAuthConditionalUIExperimentation);

 // Handle caBLE requests on Android with the CredMan-capable code path.
 COMPONENT_EXPORT(DEVICE_FIDO)
 BASE_DECLARE_FEATURE(kWebAuthnCableViaCredMan);

 // Allow some sites to experiment with removing caBLE linking in requests.
 COMPONENT_EXPORT(DEVICE_FIDO)
 BASE_DECLARE_FEATURE(kWebAuthnLinkingExperimentation);

 // Enable use of a cloud enclave authenticator service.
 COMPONENT_EXPORT(DEVICE_FIDO)
 BASE_DECLARE_FEATURE(kWebAuthnEnclaveAuthenticator);

 // Cache prelinking information on Android.
 COMPONENT_EXPORT(DEVICE_FIDO)
 BASE_DECLARE_FEATURE(kWebAuthnCachePaaSK);

 // Don't publish prelinking information if Chrome is running in a work profile
 // on Android.
 COMPONENT_EXPORT(DEVICE_FIDO)
 BASE_DECLARE_FEATURE(kWebAuthnDontPrelinkInProfiles);

 // Use the new desktop passkey UI that has the following changes:
 // * Display passkeys from multiple sources, including from Windows Hello,
 //   alongside mechanisms on the modal UI.
 // * Merge the QR and USB screens when available.
 // * String tweaks on modal and conditional UI.
 COMPONENT_EXPORT(DEVICE_FIDO)
 BASE_DECLARE_FEATURE(kWebAuthnNewPasskeyUI);

 // Sort discoverable credentials in the UI before showing.
 COMPONENT_EXPORT(DEVICE_FIDO)
 BASE_DECLARE_FEATURE(kWebAuthnSortRecognizedCredentials);

 // Don't configure discoveries like caBLE, iCloud Keychain, and the enclave,
 // if the WebAuthn UI is disabled.
 COMPONENT_EXPORT(DEVICE_FIDO)
 BASE_DECLARE_FEATURE(kWebAuthnRequireUIForComplexDiscoveries);

 // Filter a priori discovered credentials on google.com to those that have a
 // user id that starts with "GOOGLE_ACCOUNT:".
 COMPONENT_EXPORT(DEVICE_FIDO)
 BASE_DECLARE_FEATURE(kWebAuthnFilterGooglePasskeys);

 // Send the PIN protocol, if v2, in hmac-secret extensions.
 COMPONENT_EXPORT(DEVICE_FIDO)
 BASE_DECLARE_FEATURE(kWebAuthnPINProtocolInHMACSecret);

 // Show an incognito confirmation sheet on Android when creating a credential.
 COMPONENT_EXPORT(DEVICE_FIDO)
 BASE_DECLARE_FEATURE(kWebAuthnAndroidIncognitoConfirmation);

 // Support evaluating PRFs during create() calls.
 COMPONENT_EXPORT(DEVICE_FIDO)
 BASE_DECLARE_FEATURE(kWebAuthnPRFEvalDuringCreate);

 #if BUILDFLAG(IS_CHROMEOS)
 // Enable ChromeOS native passkey support.
 COMPONENT_EXPORT(DEVICE_FIDO)
 BASE_DECLARE_FEATURE(kChromeOsPasskeys);
 #endif

 // A webauthn UI mode that detects screen readers and makes the dialog title
 // focusable.
 COMPONENT_EXPORT(DEVICE_FIDO)
 BASE_DECLARE_FEATURE(kWebAuthnScreenReaderMode);

 // Update the minimum, maximum, and default timeout values for webauthn requests
 // to be more generous and meet https://www.w3.org/TR/WCAG21/#enough-time.
 COMPONENT_EXPORT(DEVICE_FIDO)
 BASE_DECLARE_FEATURE(kWebAuthnAccessibleTimeouts);

 // Support cross-domain RP ID assertions.
 COMPONENT_EXPORT(DEVICE_FIDO)
 BASE_DECLARE_FEATURE(kWebAuthnRelatedOrigin);

 // CHECK an invariant about credential sources.
 COMPONENT_EXPORT(DEVICE_FIDO)
 BASE_DECLARE_FEATURE(kWebAuthnChromeImplementedInvariant);

 // Allow extensions to assert WebAuthn relying party identifiers for domains
 // they have host permissions for.
 // Added in M121. Remove in or after M124.
 COMPONENT_EXPORT(DEVICE_FIDO)
 BASE_DECLARE_FEATURE(kAllowExtensionsToSetWebAuthnRpIds);

 // Send and receive JSON from Play Services.
 COMPONENT_EXPORT(DEVICE_FIDO)
 BASE_DECLARE_FEATURE(kWebAuthnAndroidFidoJson);

 }  // namespace device

 #endif  // DEVICE_FIDO_FEATURES_H_
	// Copyright 2018 The Chromium Authors
	// Use of this source code is governed by a BSD-style license that can be
	// found in the LICENSE file.

	#ifndef DEVICE_FIDO_FEATURES_H_
	#define DEVICE_FIDO_FEATURES_H_

	#include "base/component_export.h"
	#include "base/feature_list.h"
	#include "base/metrics/field_trial_params.h"
	#include "build/build_config.h"
	#include "build/chromeos_buildflags.h"

	namespace device {

	#if BUILDFLAG(IS_WIN)
	// Controls whether on Windows, U2F/CTAP2 requests are forwarded to the
	// native WebAuthentication API, where available.
	COMPONENT_EXPORT(DEVICE_FIDO) BASE_DECLARE_FEATURE(kWebAuthUseNativeWinApi);
	#endif // BUILDFLAG(IS_WIN)

	// Support the caBLE extension in assertion requests from any origin.
	COMPONENT_EXPORT(DEVICE_FIDO)
	BASE_DECLARE_FEATURE(kWebAuthCableExtensionAnywhere);

	// Feature flag for the Google-internal
	// `WebAuthenticationAllowGoogleCorpRemoteRequestProxying` enterprise policy.
	COMPONENT_EXPORT(DEVICE_FIDO)
	BASE_DECLARE_FEATURE(kWebAuthnGoogleCorpRemoteDesktopClientPrivilege);

	#if BUILDFLAG(IS_ANDROID)
	// Use the Android 14 Credential Manager API.
	COMPONENT_EXPORT(DEVICE_FIDO)
	BASE_DECLARE_FEATURE(kWebAuthnAndroidCredMan);

	// Use the Android 14 Credential Manager API for credentials stored in Gmscore.
	COMPONENT_EXPORT(DEVICE_FIDO)
	inline constexpr base::FeatureParam<bool> kWebAuthnAndroidGpmInCredMan{
	&kWebAuthnAndroidCredMan, "gpm_in_cred_man", false};

	// Use the Android 14 Credential Manager API for hybrid requests.
	COMPONENT_EXPORT(DEVICE_FIDO)
	BASE_DECLARE_FEATURE(kWebAuthnAndroidCredManForHybrid);
	#endif // BUILDFLAG(IS_ANDROID)

	// Advertise hybrid prelinking on Android even if the app doesn't have
	// notifications permission.
	COMPONENT_EXPORT(DEVICE_FIDO)
	BASE_DECLARE_FEATURE(kWebAuthnHybridLinkWithoutNotifications);

	// Require up-to-date JSON formatting in remote-desktop contexts.
	COMPONENT_EXPORT(DEVICE_FIDO)
	BASE_DECLARE_FEATURE(kWebAuthnRequireUpToDateJSONForRemoteDesktop);

	// Enable support for iCloud Keychain
	COMPONENT_EXPORT(DEVICE_FIDO)
	BASE_DECLARE_FEATURE(kWebAuthnICloudKeychain);

	// These five feature flags control whether iCloud Keychain is the default
	// mechanism for platform credential creation in different situations.
	// "Active" means that the user is an active user of the profile authenticator,
	// defined by having used it in the past 31 days. "Drive" means that the user
	// is currently signed into iCloud Drive, which isn't iCloud Keychain
	// (what's needed), but the cloest approximation that we can detect.

	COMPONENT_EXPORT(DEVICE_FIDO)
	BASE_DECLARE_FEATURE(kWebAuthnICloudKeychainForGoogle);
	COMPONENT_EXPORT(DEVICE_FIDO)
	BASE_DECLARE_FEATURE(kWebAuthnICloudKeychainForActiveWithDrive);
	COMPONENT_EXPORT(DEVICE_FIDO)
	BASE_DECLARE_FEATURE(kWebAuthnICloudKeychainForActiveWithoutDrive);
	COMPONENT_EXPORT(DEVICE_FIDO)
	BASE_DECLARE_FEATURE(kWebAuthnICloudKeychainForInactiveWithDrive);
	COMPONENT_EXPORT(DEVICE_FIDO)
	BASE_DECLARE_FEATURE(kWebAuthnICloudKeychainForInactiveWithoutDrive);

	// Enable new hybrid UI
	COMPONENT_EXPORT(DEVICE_FIDO)
	BASE_DECLARE_FEATURE(kWebAuthnNewHybridUI);

	// Don't show the single-account sheet on macOS if Touch ID is available.
	COMPONENT_EXPORT(DEVICE_FIDO)
	BASE_DECLARE_FEATURE(kWebAuthnSkipSingleAccountMacOS);

	// Allow sites to opt into experimenting with conditional UI presentations.
	COMPONENT_EXPORT(DEVICE_FIDO)
	BASE_DECLARE_FEATURE(kWebAuthConditionalUIExperimentation);

	// Handle caBLE requests on Android with the CredMan-capable code path.
	COMPONENT_EXPORT(DEVICE_FIDO)
	BASE_DECLARE_FEATURE(kWebAuthnCableViaCredMan);

	// Allow some sites to experiment with removing caBLE linking in requests.
	COMPONENT_EXPORT(DEVICE_FIDO)
	BASE_DECLARE_FEATURE(kWebAuthnLinkingExperimentation);

	// Enable use of a cloud enclave authenticator service.
	COMPONENT_EXPORT(DEVICE_FIDO)
	BASE_DECLARE_FEATURE(kWebAuthnEnclaveAuthenticator);

	// Cache prelinking information on Android.
	COMPONENT_EXPORT(DEVICE_FIDO)
	BASE_DECLARE_FEATURE(kWebAuthnCachePaaSK);

	// Don't publish prelinking information if Chrome is running in a work profile
	// on Android.
	COMPONENT_EXPORT(DEVICE_FIDO)
	BASE_DECLARE_FEATURE(kWebAuthnDontPrelinkInProfiles);

	// Use the new desktop passkey UI that has the following changes:
	// * Display passkeys from multiple sources, including from Windows Hello,
	// alongside mechanisms on the modal UI.
	// * Merge the QR and USB screens when available.
	// * String tweaks on modal and conditional UI.
	COMPONENT_EXPORT(DEVICE_FIDO)
	BASE_DECLARE_FEATURE(kWebAuthnNewPasskeyUI);

	// Sort discoverable credentials in the UI before showing.
	COMPONENT_EXPORT(DEVICE_FIDO)
	BASE_DECLARE_FEATURE(kWebAuthnSortRecognizedCredentials);

	// Don't configure discoveries like caBLE, iCloud Keychain, and the enclave,
	// if the WebAuthn UI is disabled.
	COMPONENT_EXPORT(DEVICE_FIDO)
	BASE_DECLARE_FEATURE(kWebAuthnRequireUIForComplexDiscoveries);

	// Filter a priori discovered credentials on google.com to those that have a
	// user id that starts with "GOOGLE_ACCOUNT:".
	COMPONENT_EXPORT(DEVICE_FIDO)
	BASE_DECLARE_FEATURE(kWebAuthnFilterGooglePasskeys);

	// Send the PIN protocol, if v2, in hmac-secret extensions.
	COMPONENT_EXPORT(DEVICE_FIDO)
	BASE_DECLARE_FEATURE(kWebAuthnPINProtocolInHMACSecret);

	// Show an incognito confirmation sheet on Android when creating a credential.
	COMPONENT_EXPORT(DEVICE_FIDO)
	BASE_DECLARE_FEATURE(kWebAuthnAndroidIncognitoConfirmation);

	// Support evaluating PRFs during create() calls.
	COMPONENT_EXPORT(DEVICE_FIDO)
	BASE_DECLARE_FEATURE(kWebAuthnPRFEvalDuringCreate);

	#if BUILDFLAG(IS_CHROMEOS)
	// Enable ChromeOS native passkey support.
	COMPONENT_EXPORT(DEVICE_FIDO)
	BASE_DECLARE_FEATURE(kChromeOsPasskeys);
	#endif

	// A webauthn UI mode that detects screen readers and makes the dialog title
	// focusable.
	COMPONENT_EXPORT(DEVICE_FIDO)
	BASE_DECLARE_FEATURE(kWebAuthnScreenReaderMode);

	// Update the minimum, maximum, and default timeout values for webauthn requests
	// to be more generous and meet https://www.w3.org/TR/WCAG21/#enough-time.
	COMPONENT_EXPORT(DEVICE_FIDO)
	BASE_DECLARE_FEATURE(kWebAuthnAccessibleTimeouts);

	// Support cross-domain RP ID assertions.
	COMPONENT_EXPORT(DEVICE_FIDO)
	BASE_DECLARE_FEATURE(kWebAuthnRelatedOrigin);

	// CHECK an invariant about credential sources.
	COMPONENT_EXPORT(DEVICE_FIDO)
	BASE_DECLARE_FEATURE(kWebAuthnChromeImplementedInvariant);

	// Allow extensions to assert WebAuthn relying party identifiers for domains
	// they have host permissions for.
	// Added in M121. Remove in or after M124.
	COMPONENT_EXPORT(DEVICE_FIDO)
	BASE_DECLARE_FEATURE(kAllowExtensionsToSetWebAuthnRpIds);

	// Send and receive JSON from Play Services.
	COMPONENT_EXPORT(DEVICE_FIDO)
	BASE_DECLARE_FEATURE(kWebAuthnAndroidFidoJson);

	} // namespace device

	#endif // DEVICE_FIDO_FEATURES_H_