Audit the U2F API

Similar to legacy/trac#26614 (moved), we should audit the U2F API implementation that is enabled with the security.webauth.u2f pref.

added component::applications/tor browser in Legacy / Trac ff78-esr in Legacy / Trac owner::tbb-team in Legacy / Trac priority::medium in Legacy / Trac severity::normal in Legacy / Trac sponsor::58 in Legacy / Trac status::new in Legacy / Trac type::defect in Legacy / Trac labels

Trac:
Description: Similar to legacy/trac#26614 (moved), we should audit the U2F API implementation that is enabled with the security.webauth.webauthn pref.

to

Similar to legacy/trac#26614 (moved), we should audit the U2F API implementation that is enabled with the security.webauth.u2f pref.

moved from legacy/trac#34193 (moved)

added Bug label and removed 1 deleted label

removed 1 deleted label

added 1 deleted label

@sysrqb, @gk: U2F is enabled in ff78-esr. Since we have not audited the implementation yet, should we disable it via pref for our upcoming release?

@sysrqb, @gk: U2F is enabled in ff78-esr. Since we have not audited the implementation yet, should we disable it via pref for our upcoming release?

I am torn here because I fear just disabling it for some unknown risk (it's not even clear how a privacy/fingerprinting issue would look like for this API) might not outweigh the costs (e.g. that Yubikeys or other security tokens we and others use for Gitlab access etc. starts breaking).

removed milestone %Tor Browser: 10.0

mentioned in issue fenix#40107 (moved)

Note: (FYI, Android will likely never support U2F, see #40223 (comment 2715078))

mentioned in issue #40403 (closed)

added 1 deleted label and removed 1 deleted label

removed 1 deleted label

added Icebox label

added Roadmap::Future label

removed Icebox label

removed Bug label

added Task label

added All Platforms label

added Apps::Type::Audit label