Chromium

Extension was dropped from WebAuthn Level Two.

Extension has been readded in the draft of WebAuthn Level Three.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src/+/f1ec964acb750708f55df39271c0c8309928aa2f

commit f1ec964acb750708f55df39271c0c8309928aa2f
Author: Adam Langley <agl@chromium.org>
Date: Tue Jan 10 00:01:57 2023

webauthn: prefer UV more when hmac-secret is in use.

Security keys have two PRFs per credential: one for UV assertions and
one for non-UV assertions. If a site sets uv=preferred (and with the
behaviour of the iCloud authenticator, that's attractive) then it risks
using one PRF and then having it suddenly change if the user later
configures UV on a security key.

Thus this change makes UV=preferred more preferred when hmac-secret is
used.  I.e. uv=preferred will trigger UV enrollment in that case.

Bug: 1106961
Change-Id: I60c021e5fbccf26455988c9348e809e8ad60d715
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4137231
Commit-Queue: Adam Langley <agl@chromium.org>
Reviewed-by: Martin Kreichgauer <martinkr@google.com>
Cr-Commit-Position: refs/heads/main@{#1090593}

[modify] https://crrev.com/f1ec964acb750708f55df39271c0c8309928aa2f/content/browser/webauth/authenticator_impl_unittest.cc
[modify] https://crrev.com/f1ec964acb750708f55df39271c0c8309928aa2f/device/fido/fido_device_authenticator.cc

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src/+/dcd3e54b4a1bf6a7eb4f9c974d12fe941e0d3062

commit dcd3e54b4a1bf6a7eb4f9c974d12fe941e0d3062
Author: Adam Langley <agl@chromium.org>
Date: Tue Jan 17 20:44:24 2023

webauthn: support PRF extension.

This change wires up the PRF extension[1] into the renderer and into
webauthn.dll.

[1] https://w3c.github.io/webauthn/#prf-extension

Bug: 1106961
Change-Id: Ibb86e1ae1c9d8f4ef28030da72524599ee9dd001
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4128934
Reviewed-by: Dmitry Gozman <dgozman@chromium.org>
Reviewed-by: Vladimir Levin <vmpstr@chromium.org>
Reviewed-by: Mathias Bynens <mathias@chromium.org>
Reviewed-by: Bo Liu <boliu@chromium.org>
Commit-Queue: Adam Langley <agl@chromium.org>
Reviewed-by: Nina Satragno <nsatragno@chromium.org>
Reviewed-by: Ken Buchanan <kenrb@chromium.org>
Reviewed-by: Martin Kreichgauer <martinkr@google.com>
Cr-Commit-Position: refs/heads/main@{#1093513}

[modify] https://crrev.com/dcd3e54b4a1bf6a7eb4f9c974d12fe941e0d3062/third_party/blink/public/devtools_protocol/browser_protocol.pdl
[modify] https://crrev.com/dcd3e54b4a1bf6a7eb4f9c974d12fe941e0d3062/content/browser/webauth/virtual_authenticator.cc
[modify] https://crrev.com/dcd3e54b4a1bf6a7eb4f9c974d12fe941e0d3062/device/fido/win/webauthn_api.cc
[add] https://crrev.com/dcd3e54b4a1bf6a7eb4f9c974d12fe941e0d3062/third_party/blink/renderer/modules/credentialmanagement/authentication_extensions_prf_inputs.idl
[modify] https://crrev.com/dcd3e54b4a1bf6a7eb4f9c974d12fe941e0d3062/third_party/blink/renderer/bindings/generated_in_modules.gni
[modify] https://crrev.com/dcd3e54b4a1bf6a7eb4f9c974d12fe941e0d3062/device/fido/win/logging.cc
[modify] https://crrev.com/dcd3e54b4a1bf6a7eb4f9c974d12fe941e0d3062/third_party/blink/web_tests/external/wpt/webauthn/createcredential-extensions.https.html
[modify] https://crrev.com/dcd3e54b4a1bf6a7eb4f9c974d12fe941e0d3062/chrome/test/chromedriver/session_commands.cc
[modify] https://crrev.com/dcd3e54b4a1bf6a7eb4f9c974d12fe941e0d3062/third_party/blink/public/mojom/webauthn/virtual_authenticator.mojom
[add] https://crrev.com/dcd3e54b4a1bf6a7eb4f9c974d12fe941e0d3062/third_party/blink/web_tests/external/wpt/webauthn/createcredential-prf.https.html
[modify] https://crrev.com/dcd3e54b4a1bf6a7eb4f9c974d12fe941e0d3062/third_party/blink/renderer/modules/credentialmanagement/credential_manager_type_converters.cc
[modify] https://crrev.com/dcd3e54b4a1bf6a7eb4f9c974d12fe941e0d3062/third_party/blink/renderer/platform/runtime_enabled_features.json5
[modify] https://crrev.com/dcd3e54b4a1bf6a7eb4f9c974d12fe941e0d3062/content/browser/webauth/authenticator_common_impl.cc
[modify] https://crrev.com/dcd3e54b4a1bf6a7eb4f9c974d12fe941e0d3062/content/browser/webauth/virtual_authenticator.h
[modify] https://crrev.com/dcd3e54b4a1bf6a7eb4f9c974d12fe941e0d3062/device/fido/win/type_conversions.cc
[modify] https://crrev.com/dcd3e54b4a1bf6a7eb4f9c974d12fe941e0d3062/third_party/blink/renderer/modules/credentialmanagement/credential_manager_type_converters.h
[modify] https://crrev.com/dcd3e54b4a1bf6a7eb4f9c974d12fe941e0d3062/third_party/blink/renderer/bindings/idl_in_modules.gni
[modify] https://crrev.com/dcd3e54b4a1bf6a7eb4f9c974d12fe941e0d3062/third_party/blink/renderer/modules/credentialmanagement/authentication_extensions_client_outputs.idl
[modify] https://crrev.com/dcd3e54b4a1bf6a7eb4f9c974d12fe941e0d3062/third_party/blink/web_tests/external/wpt/webauthn/getcredential-extensions.https.html
[modify] https://crrev.com/dcd3e54b4a1bf6a7eb4f9c974d12fe941e0d3062/third_party/blink/renderer/modules/credentialmanagement/credentials_container.cc
[modify] https://crrev.com/dcd3e54b4a1bf6a7eb4f9c974d12fe941e0d3062/third_party/blink/renderer/modules/credentialmanagement/authentication_extensions_client_inputs.idl
[modify] https://crrev.com/dcd3e54b4a1bf6a7eb4f9c974d12fe941e0d3062/third_party/blink/web_tests/resources/testdriver-vendor.js
[add] https://crrev.com/dcd3e54b4a1bf6a7eb4f9c974d12fe941e0d3062/third_party/blink/renderer/modules/credentialmanagement/authentication_extensions_prf_outputs.idl
[add] https://crrev.com/dcd3e54b4a1bf6a7eb4f9c974d12fe941e0d3062/third_party/blink/web_tests/external/wpt/webauthn/getcredential-prf.https.html
[modify] https://crrev.com/dcd3e54b4a1bf6a7eb4f9c974d12fe941e0d3062/chrome/test/chromedriver/test/run_py_tests.py
[modify] https://crrev.com/dcd3e54b4a1bf6a7eb4f9c974d12fe941e0d3062/content/browser/devtools/protocol/webauthn_handler.cc
[modify] https://crrev.com/dcd3e54b4a1bf6a7eb4f9c974d12fe941e0d3062/chrome/test/chromedriver/webauthn_commands.cc

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src/+/341a894d9866b28983210f1c6170fc28f9a38093

commit 341a894d9866b28983210f1c6170fc28f9a38093
Author: Adam Langley <agl@chromium.org>
Date: Wed Jan 25 22:36:20 2023

webauthn: use SyntaxError for invalid credential IDs.

This reflects the discussion on the PR:
https://github.com/w3c/webauthn/pull/1836#discussion_r1069668151

Bug: 1106961
Change-Id: If68bd707a6aadfaf0e6de87e80b82de38396b9a0
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4193255
Commit-Queue: Nina Satragno <nsatragno@chromium.org>
Reviewed-by: Nina Satragno <nsatragno@chromium.org>
Auto-Submit: Adam Langley <agl@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1097056}

[modify] https://crrev.com/341a894d9866b28983210f1c6170fc28f9a38093/third_party/blink/web_tests/external/wpt/webauthn/getcredential-prf.https.html
[modify] https://crrev.com/341a894d9866b28983210f1c6170fc28f9a38093/third_party/blink/renderer/modules/credentialmanagement/credentials_container.cc

Thanks for the work on this, excited for the potential here!

I'm trying this with Chrome Canary 112.0.5567.0 and there's a crash if I do:

navigator.credentials.get({
  publicKey: {
  [...]
      authenticatorSelection: {
        userVerification: "discouraged",
      },
      extensions: {
        prf: {
          evalByCredential: {
            [cred.id]: {first: salt}}}}});

i.e. I ask for userVerification=discouraged but don't provide the second salt. It all works if I do provide "second", so I think it's just some missing error handling.

dgl: thank you for the report! I'm not able to recreate a crash with inputs like that. Is there a crash report in chrome://crashes for it? If so, could you provide the ID?

(Also note that discussions about the prf extension are continuing in the WebAuthn WG and the current direction is that the web will only expose the UV PRF. I.e. UV will be required when using the prf extension unless the authenticator doesn't support UV at all.)

ID is 6a8e73b61ea82349 -- although I don't seem to be able to reproduce it now either, I think I must have accidentally fixed some other detail in the code, sorry for the noise if that ID isn't enough.

(I'm a little sad to hear it will require UV, that changes the UX for a potential workflow where the PRF is mixed into another source (e.g. a password derived key) and the user is only prompted for a password once -- at least on non-biometric devices where UV is a PIN/password.)

Thanks for the crash ID. With that I believe I was able to figure it out. https://chromium-review.googlesource.com/c/chromium/src/+/4209259 pending to fix it.

(Will answer your email about UV requirements directly.)

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src/+/d5aa7240bcc697f959cd8c9a911bfa0ff883cb10

commit d5aa7240bcc697f959cd8c9a911bfa0ff883cb10
Author: Adam Langley <agl@chromium.org>
Date: Wed Feb 01 00:43:30 2023

device/fido: set the PIN protocol for hmac_secret.

The hmac_secret extension is special in that it exercises CTAP's key
agreement in order to encrypt the values exchanged, but doesn't require
a PUAT.  When doing an hmac_secret request with uv=discouraged, the
request mightn't have a negotiated PIN protocol set because the PUAT flow
was skipped, but it needed one.

Fixed: 1106961
Change-Id: Id0c391bfa6df3a66f14e63bb2bc138c4e34471af
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4209259
Commit-Queue: Adam Langley <agl@chromium.org>
Reviewed-by: Martin Kreichgauer <martinkr@google.com>
Cr-Commit-Position: refs/heads/main@{#1099575}

[modify] https://crrev.com/d5aa7240bcc697f959cd8c9a911bfa0ff883cb10/content/browser/webauth/authenticator_impl_unittest.cc
[modify] https://crrev.com/d5aa7240bcc697f959cd8c9a911bfa0ff883cb10/device/fido/fido_device_authenticator.cc

[Empty comment from Monorail migration]

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src/+/d27d7dbd8830d77aef3678816710b29d6db92ade

commit d27d7dbd8830d77aef3678816710b29d6db92ade
Author: Adam Langley <agl@chromium.org>
Date: Wed Feb 08 16:45:37 2023

device/fido: support prf extension.

Add support for a `prf` extension at the CTAP level which mirrors the
WebAuthn-level extension of the same name. This allows authenticators
that don't support up=false probing to support PRFs.

See https://github.com/fido-alliance/fido-2-specs/pull/1373

Bug: 1106961
Change-Id: I0dc539d17e9d3d27044484d4c0cdbeebdd9d7f59
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4215913
Reviewed-by: Martin Kreichgauer <martinkr@google.com>
Commit-Queue: Adam Langley <agl@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1102756}

[modify] https://crrev.com/d27d7dbd8830d77aef3678816710b29d6db92ade/content/browser/webauth/authenticator_common_impl.cc
[modify] https://crrev.com/d27d7dbd8830d77aef3678816710b29d6db92ade/device/fido/win/webauthn_api.cc
[modify] https://crrev.com/d27d7dbd8830d77aef3678816710b29d6db92ade/device/fido/device_response_converter.cc
[modify] https://crrev.com/d27d7dbd8830d77aef3678816710b29d6db92ade/device/fido/authenticator_make_credential_response.cc
[modify] https://crrev.com/d27d7dbd8830d77aef3678816710b29d6db92ade/device/fido/ctap_get_assertion_request.cc
[modify] https://crrev.com/d27d7dbd8830d77aef3678816710b29d6db92ade/device/fido/get_assertion_request_handler.cc
[modify] https://crrev.com/d27d7dbd8830d77aef3678816710b29d6db92ade/device/fido/authenticator_make_credential_response.h
[modify] https://crrev.com/d27d7dbd8830d77aef3678816710b29d6db92ade/device/fido/authenticator_supported_options.h
[modify] https://crrev.com/d27d7dbd8830d77aef3678816710b29d6db92ade/device/fido/virtual_ctap2_device.cc
[modify] https://crrev.com/d27d7dbd8830d77aef3678816710b29d6db92ade/device/fido/ctap_get_assertion_request.h
[modify] https://crrev.com/d27d7dbd8830d77aef3678816710b29d6db92ade/device/fido/authenticator_get_assertion_response.h
[modify] https://crrev.com/d27d7dbd8830d77aef3678816710b29d6db92ade/content/browser/webauth/authenticator_impl_unittest.cc
[modify] https://crrev.com/d27d7dbd8830d77aef3678816710b29d6db92ade/device/fido/ctap_make_credential_request.h
[modify] https://crrev.com/d27d7dbd8830d77aef3678816710b29d6db92ade/device/fido/make_credential_request_handler.cc
[modify] https://crrev.com/d27d7dbd8830d77aef3678816710b29d6db92ade/device/fido/virtual_ctap2_device.h
[modify] https://crrev.com/d27d7dbd8830d77aef3678816710b29d6db92ade/device/fido/get_assertion_task.cc
[modify] https://crrev.com/d27d7dbd8830d77aef3678816710b29d6db92ade/device/fido/fido_constants.h
[modify] https://crrev.com/d27d7dbd8830d77aef3678816710b29d6db92ade/device/fido/get_assertion_task.h
[modify] https://crrev.com/d27d7dbd8830d77aef3678816710b29d6db92ade/device/fido/fido_constants.cc
[modify] https://crrev.com/d27d7dbd8830d77aef3678816710b29d6db92ade/device/fido/ctap_make_credential_request.cc

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src/+/b8d77fcf9e62cfd1c9f8fc3bdabe685926c8df3d

commit b8d77fcf9e62cfd1c9f8fc3bdabe685926c8df3d
Author: Adam Langley <agl@chromium.org>
Date: Wed Feb 15 23:27:40 2023

webauthn: support `prf` extension on Android.

This change adds support for the PRF extension[1] both for webpages on
Android and via hybrid CTAP. Note that this depends on support in Google
Play Services, which hasn't yet shipped at the time of writing.

Bug: 1106961
Change-Id: I2252bec28aaf1223633bb8c91a2fee4198b7c200
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4223052
Reviewed-by: Adam Langley <agl@chromium.org>
Auto-Submit: Adam Langley <agl@chromium.org>
Commit-Queue: Adam Langley <agl@chromium.org>
Reviewed-by: Martin Kreichgauer <martinkr@google.com>
Cr-Commit-Position: refs/heads/main@{#1105938}

[modify] https://crrev.com/b8d77fcf9e62cfd1c9f8fc3bdabe685926c8df3d/device/fido/cable/v2_test_util.cc
[modify] https://crrev.com/b8d77fcf9e62cfd1c9f8fc3bdabe685926c8df3d/chrome/android/features/cablev2_authenticator/native/cablev2_authenticator_android.cc
[modify] https://crrev.com/b8d77fcf9e62cfd1c9f8fc3bdabe685926c8df3d/device/fido/features.cc
[modify] https://crrev.com/b8d77fcf9e62cfd1c9f8fc3bdabe685926c8df3d/content/browser/webauth/authenticator_impl_unittest.cc
[modify] https://crrev.com/b8d77fcf9e62cfd1c9f8fc3bdabe685926c8df3d/components/webauthn/android/java/src/org/chromium/components/webauthn/Fido2Api.java
[modify] https://crrev.com/b8d77fcf9e62cfd1c9f8fc3bdabe685926c8df3d/device/fido/cable/v2_authenticator.cc
[modify] https://crrev.com/b8d77fcf9e62cfd1c9f8fc3bdabe685926c8df3d/chrome/android/features/cablev2_authenticator/java/src/org/chromium/chrome/browser/webauth/authenticator/CableAuthenticator.java
[modify] https://crrev.com/b8d77fcf9e62cfd1c9f8fc3bdabe685926c8df3d/device/fido/cable/v2_authenticator.h
[modify] https://crrev.com/b8d77fcf9e62cfd1c9f8fc3bdabe685926c8df3d/device/fido/features.h

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src/+/2bb75bdbf7046ddffa0fd79e482a7ed42f3a7dad

commit 2bb75bdbf7046ddffa0fd79e482a7ed42f3a7dad
Author: Adam Langley <agl@chromium.org>
Date: Mon Mar 06 01:39:55 2023

webauthn: always use the UV PRF.

CTAP2 authenticators create two PRFs per credential: one for UV requests
and one for non-UV requests. The `prf` extension always wants to use the
UV PRF. This change makes it so.

There is an edge case that fails: if a site:
  1. creates a credential with uv=discouraged and without setting the
     `prf` extension, and
  2. does an assertion with the `prf` extension, and
  3. we're using webauthn.dll, and
  4. the user uses a security key that does hmac_secret on assertion
     even without it being configured at creation time,
then I believe the wrong PRF will be used. Window webauthn.dll would
have to reflect the changes made here not to evaluate PRFs on UV-capable
but UV-not-configured authenticators to fix this.

But this edge case involves the RP creating credentials without the
extension and expecting them to work.

Bug: 1106961
Change-Id: Ia3a8d8f7426fc0a9721f9337ec1b67f3a3726739
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4289410
Reviewed-by: Martin Kreichgauer <martinkr@google.com>
Commit-Queue: Adam Langley <agl@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1113206}

[modify] https://crrev.com/2bb75bdbf7046ddffa0fd79e482a7ed42f3a7dad/device/fido/fido_authenticator.cc
[modify] https://crrev.com/2bb75bdbf7046ddffa0fd79e482a7ed42f3a7dad/content/browser/webauth/authenticator_impl_unittest.cc
[modify] https://crrev.com/2bb75bdbf7046ddffa0fd79e482a7ed42f3a7dad/device/fido/fido_authenticator.h
[modify] https://crrev.com/2bb75bdbf7046ddffa0fd79e482a7ed42f3a7dad/device/fido/make_credential_request_handler.cc
[modify] https://crrev.com/2bb75bdbf7046ddffa0fd79e482a7ed42f3a7dad/device/fido/get_assertion_request_handler.cc
[modify] https://crrev.com/2bb75bdbf7046ddffa0fd79e482a7ed42f3a7dad/device/fido/fido_device_authenticator.cc

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src/+/152c5f8b80111aa0029997e04f98f935d8edb9ea

commit 152c5f8b80111aa0029997e04f98f935d8edb9ea
Author: Adam Langley <agl@chromium.org>
Date: Fri Mar 10 21:17:12 2023

webauthn: require that PRF credential IDs are in the allow list.

See https://github.com/w3c/webauthn/pull/1836/commits/3b83189b8f30f6fff36d0bd4b1ef2bcf53e148c6

Bug: 1106961
Change-Id: I64c309d53b2f9f5b9b717d5e887713aad0e0cfa9
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4291988
Reviewed-by: Nina Satragno <nsatragno@chromium.org>
Auto-Submit: Adam Langley <agl@chromium.org>
Commit-Queue: Adam Langley <agl@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1115908}

[modify] https://crrev.com/152c5f8b80111aa0029997e04f98f935d8edb9ea/third_party/blink/web_tests/external/wpt/webauthn/getcredential-prf.https.html
[modify] https://crrev.com/152c5f8b80111aa0029997e04f98f935d8edb9ea/third_party/blink/renderer/modules/credentialmanagement/credentials_container.cc

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src/+/ce3b68af33407bb037ff0ddc1fcb30e3a88ea65b

commit ce3b68af33407bb037ff0ddc1fcb30e3a88ea65b
Author: Adam Langley <agl@chromium.org>
Date: Tue Mar 21 19:31:46 2023

webauthn: advertise prf feature as hybrid authenticator.

Play Services has updated to support this feature now.

Bug: 1106961
Change-Id: I97f7221480ae458b9b1401f966d40ae108f839a7
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4356440
Commit-Queue: Adam Langley <agl@chromium.org>
Reviewed-by: Martin Kreichgauer <martinkr@google.com>
Auto-Submit: Adam Langley <agl@chromium.org>
Commit-Queue: Martin Kreichgauer <martinkr@google.com>
Cr-Commit-Position: refs/heads/main@{#1120121}

[modify] https://crrev.com/ce3b68af33407bb037ff0ddc1fcb30e3a88ea65b/device/fido/features.cc

Is the current version of the prf extension available to be tested in any in the Chrome Windows browser versions? (maybe from the Beta or Dev channels?)

Thanks!

If interested, people can flip chrome://flags/#enable-experimental-web-platform-features to enable the current version of the PRF extension. If on Windows, note that you may need a recent version of Windows to get PRF support in Windows itself, which Chrome depends on.

Thank you! We are looking at updated Windows 10 and 11 environments atm. Do you know of a simple check/test that I could run in order to see if my version of Windows & Chrome support it?
Thank you again!

You can try the "MTS PRF" button on https://securitykeys.info/ts/test_suite.html, but that's just whatever I had last time I needed to try something!

Perfect, thank you!

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src/+/9b8e20e8c56b9e193d7e961e546e2c44b21094a1

commit 9b8e20e8c56b9e193d7e961e546e2c44b21094a1
Author: Adam Langley <agl@chromium.org>
Date: Thu May 25 21:42:58 2023

Default enable the WebAuthn PRF extension.

blink-dev thread: https://groups.google.com/a/chromium.org/g/blink-dev/c/iTNOgLwD2bI/m/Oz1C7oEYAgAJ

Fixed: 1106961
Change-Id: Ia31d60d5aaa148a2f4b2ff826d806c53551463f8
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4568844
Reviewed-by: Rick Byers <rbyers@chromium.org>
Commit-Queue: Rick Byers <rbyers@chromium.org>
Auto-Submit: Adam Langley <agl@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1149382}

[modify] https://crrev.com/9b8e20e8c56b9e193d7e961e546e2c44b21094a1/third_party/blink/renderer/platform/runtime_enabled_features.json5

I see that this issue has been Fixed. Does this mean that PRF is now available without the need to enable the experimental features flag?

Thank you!

> I see that this issue has been Fixed. Does this mean that PRF is now available without the need to enable the experimental features flag?

It will be in the future, yes.

If you take the commit hash from a message like #22 then you can construct a URL like https://chromiumdash.appspot.com/commits?commit=9b8e20e8c56b9e193d7e961e546e2c44b21094a1&platform=Windows

Currently there's nothing listed for "First release" there, but in a day or two it'll have a version number beginning with 116. That'll be the first version in which the PRF extension is default enabled, which you can get on the Canary channel. If you want to know when 116 will be released generally you can see https://chromiumdash.appspot.com/schedule

Awesome, thank you!

I see one compatibility issue when doing test, https://bugs.chromium.org/p/chromium/issues/detail?id=1477486

This issue was migrated from crbug.com/chromium/1106961?no_tracker_redirect=1

[Auto-CCs applied]
[Monorail components added to Component Tags custom field.]