Yes, I was referring to WebAuthn user verification. @Avamander claims there's a whitelist, but I couldn't find any proof of that through quick googling
I'm not talking about Webauthn's standardized user presence checking, certainly not.
The whitelist can be seen in Webkit's source when searching for "shouldBypassUserGestureRequirementForWebAuthn" or any of the whitelisted domains: dropbox.com, microsoft.com, google.com, twitter.com or facebook.com
I am saying from very practical experience this is not well made and shouldn't have been shipped to users in its current form.
There are better examples how to avoid users getting spammed with any requests, browsers have a long history of dealing with that kind of abuse much better.
This patch loosens the user gesture requirement around using WebAuthn with respect to user gestures by removing the Quirks.h allowlist of sites that get a freebie.
Instead the new behavior is all sites get one freebie, then on subsequent attempts they show a non-modal consent dialog.
--- end quote ---
> There are better examples how to avoid users getting spammed with any requests, browsers have a long history of dealing with that kind of abuse much better.
They really don't have much better solutions than requiring user interaction. Even Media Engagement Index that you mentioned is used by Chrome only on desktop and by calculating user interaction.
