From 903acfa3dfd67861f9d9afa8732f3a785cbcf881 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Anders=20=C3=85berg?= <anders@andersaberg.com>
Date: Fri, 30 Jan 2026 20:55:40 +0100
Subject: [PATCH] Don't make PRF available in any client that is not
 web/browser, even if it's lying about navigator.credentials (#18687)

---
 .../services/default-webauthn-prf-unlock.service.ts   | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/libs/key-management-ui/src/lock/services/default-webauthn-prf-unlock.service.ts b/libs/key-management-ui/src/lock/services/default-webauthn-prf-unlock.service.ts
index 106037bc5f7..b3bbf392d0a 100644
--- a/libs/key-management-ui/src/lock/services/default-webauthn-prf-unlock.service.ts
+++ b/libs/key-management-ui/src/lock/services/default-webauthn-prf-unlock.service.ts
@@ -54,11 +54,12 @@ export class DefaultWebAuthnPrfUnlockService implements WebAuthnPrfUnlockService
         return false;
       }
 
-      // If we're in the browser extension, check if we're in a Chromium browser
-      if (
-        this.platformUtilsService.getClientType() === ClientType.Browser &&
-        !this.platformUtilsService.isChromium()
-      ) {
+      // PRF unlock is only supported on Web and Chromium-based browser extensions
+      const clientType = this.platformUtilsService.getClientType();
+      if (clientType === ClientType.Browser && !this.platformUtilsService.isChromium()) {
+        return false;
+      }
+      if (clientType !== ClientType.Web && clientType !== ClientType.Browser) {
         return false;
       }