webAuthenticationProxy

This permission is intended for enterprise scenarios where remote access to security keys is required.

Examples:

• An extension that allows a user to authenticate on a remote desktop session using a physical security key connected to their local machine.
• A corporate security extension that routes all WebAuthn requests through a central monitoring service.

{
  "name": "My WebAuthn Proxy",
  "version": "1.0",
  "manifest_version": 3,
  "permissions": [
    "webAuthenticationProxy"
  ],
  "background": {
    "service_worker": "background.js"
  }
}

Why is it high risk?

This permission lets the extension intercept every WebAuthn registration and authentication ceremony in the user's profile. The API is not auto-disabled on personal devices — any Chrome install can run an extension that declares it; the permission is intended for enterprise scenarios but is technically available everywhere.

A malicious or compromised proxy extension could:

• Observe and log assertions for every site the user authenticates to with passkeys / security keys.
• Redirect ceremonies to attacker-controlled authenticators, defeating phishing-resistance guarantees.
• Selectively fail or stall legitimate authentication.

Only install extensions that declare webAuthenticationProxy if you actively need an enterprise WebAuthn proxy and trust the publisher.

The chrome.webAuthenticationProxy API exposes separate events for credential creation, assertion, and IsUserVerifyingPlatformAuthenticatorAvailable calls. The extension must call attach first, then respond to each request type with its matching completeCreateRequest / completeGetRequest / completeIsUvpaaRequest method, passing the response back as a JSON-encoded string.

// background.js (Manifest V3 service worker)

// Attach the proxy. While attached, every WebAuthn ceremony in this
// profile is routed to the listeners below instead of Chrome's
// built-in authenticator handling.
chrome.webAuthenticationProxy.attach(() => {
  if (chrome.runtime.lastError) {
    console.error('Failed to attach proxy:', chrome.runtime.lastError.message);
  }
});

// Credential creation (navigator.credentials.create).
chrome.webAuthenticationProxy.onCreateRequest.addListener(async (request) => {
  const responseJson = await getRemoteRegistrationResponse(request); // your logic
  await chrome.webAuthenticationProxy.completeCreateRequest({
    requestId: request.requestId,
    responseJson: JSON.stringify(responseJson)
  });
});

// Assertion (navigator.credentials.get).
chrome.webAuthenticationProxy.onGetRequest.addListener(async (request) => {
  const responseJson = await getRemoteAssertionResponse(request); // your logic
  await chrome.webAuthenticationProxy.completeGetRequest({
    requestId: request.requestId,
    responseJson: JSON.stringify(responseJson)
  });
});

// PublicKeyCredential.isUserVerifyingPlatformAuthenticatorAvailable().
chrome.webAuthenticationProxy.onIsUvpaaRequest.addListener(async (request) => {
  await chrome.webAuthenticationProxy.completeIsUvpaaRequest({
    requestId: request.requestId,
    isUvpaa: false
  });
});

// Cancellation: the relying party / browser aborted the in-flight ceremony.
chrome.webAuthenticationProxy.onRequestCanceled.addListener((requestId) => {
  // Clean up any state for this requestId.
});

Note: This example is intentionally simplified. A real implementation must validate all incoming parameters, protect any cryptographic keys, and securely communicate with the remote authenticator or service.