Bug 1508115 - Web Authentication - Support Windows Hello r=keeler,jcj,baku
authorAkshay Kumar <akshay.sonu@gmail.com>
Mon, 21 Jan 2019 01:10:44 +0000
changeset 454853 828fe91e878b700d0135adb3f45a9554694e4498
parent 454852 3c892082191daa8abe20a3a6c96ad0b2658c3ab9
child 454854 b2066b96bd8fcda814e7438c81880b59615bde1e
push id111360
push userrgurzau@mozilla.com
push dateWed, 23 Jan 2019 00:06:13 +0000
treeherdermozilla-inbound@80d073eee75b [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerskeeler, jcj, baku
bugs1508115
milestone66.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1508115 - Web Authentication - Support Windows Hello r=keeler,jcj,baku This change adopts Windows Win32 WebAuthN APIs from https://github.com/Microsoft/webauthn Differential Revision: https://phabricator.services.mozilla.com/D15752
.clang-format-ignore
dom/webauthn/PWebAuthnTransaction.ipdl
dom/webauthn/PublicKeyCredential.cpp
dom/webauthn/U2FHIDTokenManager.cpp
dom/webauthn/U2FSoftTokenManager.cpp
dom/webauthn/U2FTokenManager.cpp
dom/webauthn/WebAuthnManager.cpp
dom/webauthn/WebAuthnTransactionParent.cpp
dom/webauthn/WinWebAuthnManager.cpp
dom/webauthn/WinWebAuthnManager.h
dom/webauthn/moz.build
dom/webauthn/u2f-hid-rs/src/u2fhid-capi.h
dom/webauthn/winwebauthn/.gitignore
dom/webauthn/winwebauthn/LICENSE
dom/webauthn/winwebauthn/README.md
dom/webauthn/winwebauthn/webauthn.h
dom/webidl/WebAuthentication.webidl
layout/build/nsLayoutStatics.cpp
--- a/.clang-format-ignore
+++ b/.clang-format-ignore
@@ -73,16 +73,17 @@ dom/media/platforms/ffmpeg/libav53/.*
 dom/media/platforms/ffmpeg/libav54/.*
 dom/media/platforms/ffmpeg/libav55/.*
 dom/media/webspeech/recognition/endpointer.cc
 dom/media/webspeech/recognition/endpointer.h
 dom/media/webspeech/recognition/energy_endpointer.cc
 dom/media/webspeech/recognition/energy_endpointer.h
 dom/media/webspeech/recognition/energy_endpointer_params.cc
 dom/media/webspeech/recognition/energy_endpointer_params.h
+dom/webauthn/winwebauthn/webauthn.h
 editor/libeditor/tests/browserscope/lib/richtext/.*
 editor/libeditor/tests/browserscope/lib/richtext2/.*
 extensions/spellcheck/hunspell/src/.*
 gfx/angle/.*
 gfx/cairo/.*
 gfx/graphite2/.*
 gfx/harfbuzz/.*
 gfx/ots/.*
--- a/dom/webauthn/PWebAuthnTransaction.ipdl
+++ b/dom/webauthn/PWebAuthnTransaction.ipdl
@@ -16,47 +16,72 @@
 
 include protocol PBackground;
 
 using struct mozilla::null_t from "ipc/IPCMessageUtils.h";
 
 namespace mozilla {
 namespace dom {
 
+union WebAuthnMaybeAuthenticatorAttachment {
+  uint8_t;
+  null_t;
+};
+
 struct WebAuthnAuthenticatorSelection {
   bool requireResidentKey;
-  bool requireUserVerification;
-  bool requirePlatformAttachment;
+  uint8_t userVerificationRequirement;
+  WebAuthnMaybeAuthenticatorAttachment authenticatorAttachment;
 };
 
 struct WebAuthnScopedCredential {
   uint8_t[] id;
   uint8_t transports;
 };
 
 struct WebAuthnExtensionAppId {
   uint8_t[] AppId;
+  nsString appIdentifier;
 };
 
 union WebAuthnExtension {
   WebAuthnExtensionAppId;
 };
 
 struct WebAuthnExtensionResultAppId {
   bool AppId;
 };
 
 union WebAuthnExtensionResult {
   WebAuthnExtensionResultAppId;
 };
 
+struct WebAuthnMakeCredentialRpInfo {
+  nsString Name;
+  nsString Icon;
+};
+
+struct WebAuthnMakeCredentialUserInfo {
+  uint8_t[] Id;
+  nsString Name;
+  nsString Icon;
+  nsString DisplayName;
+};
+
+struct CoseAlg {
+  long alg;
+};
+
 struct WebAuthnMakeCredentialExtraInfo {
+  WebAuthnMakeCredentialRpInfo Rp;
+  WebAuthnMakeCredentialUserInfo User;
+  CoseAlg[] coseAlgs;
   WebAuthnExtension[] Extensions;
   WebAuthnAuthenticatorSelection AuthenticatorSelection;
-  bool RequestDirectAttestation;
+  uint8_t attestationConveyancePreference;
 };
 
 union WebAuthnMaybeMakeCredentialExtraInfo {
   WebAuthnMakeCredentialExtraInfo;
   null_t;
 };
 
 struct WebAuthnMakeCredentialInfo {
@@ -74,17 +99,17 @@ struct WebAuthnMakeCredentialResult {
   uint8_t[] AttestationObject;
   uint8_t[] KeyHandle;
   /* Might be empty if the token implementation doesn't support CTAP1. */
   uint8_t[] RegistrationData;
 };
 
 struct WebAuthnGetAssertionExtraInfo {
   WebAuthnExtension[] Extensions;
-  bool RequireUserVerification;
+  uint8_t userVerificationRequirement;
 };
 
 union WebAuthnMaybeGetAssertionExtraInfo {
   WebAuthnGetAssertionExtraInfo;
   null_t;
 };
 
 struct WebAuthnGetAssertionInfo {
--- a/dom/webauthn/PublicKeyCredential.cpp
+++ b/dom/webauthn/PublicKeyCredential.cpp
@@ -4,16 +4,20 @@
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #include "mozilla/dom/Promise.h"
 #include "mozilla/dom/PublicKeyCredential.h"
 #include "mozilla/dom/WebAuthenticationBinding.h"
 #include "nsCycleCollectionParticipant.h"
 
+#ifdef OS_WIN
+#include "WinWebAuthnManager.h"
+#endif
+
 namespace mozilla {
 namespace dom {
 
 NS_IMPL_CYCLE_COLLECTION_CLASS(PublicKeyCredential)
 NS_IMPL_CYCLE_COLLECTION_UNLINK_BEGIN_INHERITED(PublicKeyCredential, Credential)
   tmp->mRawIdCachedObj = nullptr;
 NS_IMPL_CYCLE_COLLECTION_UNLINK_END
 
@@ -77,30 +81,39 @@ PublicKeyCredential::IsUserVerifyingPlat
   }
 
   ErrorResult rv;
   RefPtr<Promise> promise = Promise::Create(globalObject, rv);
   if (rv.Failed()) {
     return nullptr;
   }
 
-  // https://w3c.github.io/webauthn/#isUserVerifyingPlatformAuthenticatorAvailable
-  //
-  // We currently implement no platform authenticators, so this would always
-  // resolve to false. For those cases, the spec recommends a resolve timeout
-  // on the order of 10 minutes to avoid fingerprinting.
-  //
-  // A simple solution is thus to never resolve the promise, otherwise we'd
-  // have to track every single call to this method along with a promise
-  // and timer to resolve it after exactly X minutes.
-  //
-  // A Relying Party has to deal with a non-response in a timely fashion, so
-  // we can keep this as-is (and not resolve) even when we support platform
-  // authenticators but they're not available, or a user rejects a website's
-  // request to use them.
+// https://w3c.github.io/webauthn/#isUserVerifyingPlatformAuthenticatorAvailable
+//
+// If on latest windows, call system APIs, otherwise
+// We currently implement no platform authenticators, so this would always
+// resolve to false. For those cases, the spec recommends a resolve timeout
+// on the order of 10 minutes to avoid fingerprinting.
+//
+// A simple solution is thus to never resolve the promise, otherwise we'd
+// have to track every single call to this method along with a promise
+// and timer to resolve it after exactly X minutes.
+//
+// A Relying Party has to deal with a non-response in a timely fashion, so
+// we can keep this as-is (and not resolve) even when we support platform
+// authenticators but they're not available, or a user rejects a website's
+// request to use them.
+#ifdef OS_WIN
+
+  if (WinWebAuthnManager::IsUserVerifyingPlatformAuthenticatorAvailable()) {
+    promise->MaybeResolve(true);
+  }
+
+#endif
+
   return promise.forget();
 }
 
 void PublicKeyCredential::GetClientExtensionResults(
     AuthenticationExtensionsClientOutputs& aResult) {
   aResult = mClientExtensionOutputs;
 }
 
--- a/dom/webauthn/U2FHIDTokenManager.cpp
+++ b/dom/webauthn/U2FHIDTokenManager.cpp
@@ -107,24 +107,42 @@ RefPtr<U2FRegisterPromise> U2FHIDTokenMa
   mozilla::ipc::AssertIsOnBackgroundThread();
 
   uint64_t registerFlags = 0;
 
   if (aInfo.Extra().type() != WebAuthnMaybeMakeCredentialExtraInfo::Tnull_t) {
     const auto& extra = aInfo.Extra().get_WebAuthnMakeCredentialExtraInfo();
     const WebAuthnAuthenticatorSelection& sel = extra.AuthenticatorSelection();
 
+    UserVerificationRequirement userVerificaitonRequirement =
+        static_cast<UserVerificationRequirement>(
+            sel.userVerificationRequirement());
+
+    bool requireUserVerification =
+        userVerificaitonRequirement == UserVerificationRequirement::Required;
+
+    bool requirePlatformAttachment = false;
+    if (sel.authenticatorAttachment().type() ==
+        WebAuthnMaybeAuthenticatorAttachment::Tuint8_t) {
+      const AuthenticatorAttachment authenticatorAttachment =
+          static_cast<AuthenticatorAttachment>(
+              sel.authenticatorAttachment().get_uint8_t());
+      if (authenticatorAttachment == AuthenticatorAttachment::Platform) {
+        requirePlatformAttachment = true;
+      }
+    }
+
     // Set flags for credential creation.
     if (sel.requireResidentKey()) {
       registerFlags |= U2F_FLAG_REQUIRE_RESIDENT_KEY;
     }
-    if (sel.requireUserVerification()) {
+    if (requireUserVerification) {
       registerFlags |= U2F_FLAG_REQUIRE_USER_VERIFICATION;
     }
-    if (sel.requirePlatformAttachment()) {
+    if (requirePlatformAttachment) {
       registerFlags |= U2F_FLAG_REQUIRE_PLATFORM_ATTACHMENT;
     }
   }
 
   CryptoBuffer rpIdHash, clientDataHash;
   NS_ConvertUTF16toUTF8 rpId(aInfo.RpId());
   nsresult rv = BuildTransactionHashes(rpId, aInfo.ClientDataJSON(), rpIdHash,
                                        clientDataHash);
@@ -182,18 +200,22 @@ RefPtr<U2FSignPromise> U2FHIDTokenManage
 
   uint64_t signFlags = 0;
   nsTArray<nsTArray<uint8_t>> appIds;
   appIds.AppendElement(rpIdHash);
 
   if (aInfo.Extra().type() != WebAuthnMaybeGetAssertionExtraInfo::Tnull_t) {
     const auto& extra = aInfo.Extra().get_WebAuthnGetAssertionExtraInfo();
 
+    UserVerificationRequirement userVerificaitonReq =
+        static_cast<UserVerificationRequirement>(
+            extra.userVerificationRequirement());
+
     // Set flags for credential requests.
-    if (extra.RequireUserVerification()) {
+    if (userVerificaitonReq == UserVerificationRequirement::Required) {
       signFlags |= U2F_FLAG_REQUIRE_USER_VERIFICATION;
     }
 
     // Process extensions.
     for (const WebAuthnExtension& ext : extra.Extensions()) {
       if (ext.type() == WebAuthnExtension::TWebAuthnExtensionAppId) {
         appIds.AppendElement(ext.get_WebAuthnExtensionAppId().AppId());
       }
--- a/dom/webauthn/U2FSoftTokenManager.cpp
+++ b/dom/webauthn/U2FSoftTokenManager.cpp
@@ -572,20 +572,38 @@ RefPtr<U2FRegisterPromise> U2FSoftTokenM
       return U2FRegisterPromise::CreateAndReject(rv, __func__);
     }
   }
 
   if (aInfo.Extra().type() != WebAuthnMaybeMakeCredentialExtraInfo::Tnull_t) {
     const auto& extra = aInfo.Extra().get_WebAuthnMakeCredentialExtraInfo();
     const WebAuthnAuthenticatorSelection& sel = extra.AuthenticatorSelection();
 
+    UserVerificationRequirement userVerificaitonRequirement =
+        static_cast<UserVerificationRequirement>(
+            sel.userVerificationRequirement());
+
+    bool requireUserVerification =
+        userVerificaitonRequirement == UserVerificationRequirement::Required;
+
+    bool requirePlatformAttachment = false;
+    if (sel.authenticatorAttachment().type() ==
+        WebAuthnMaybeAuthenticatorAttachment::Tuint8_t) {
+      const AuthenticatorAttachment authenticatorAttachment =
+          static_cast<AuthenticatorAttachment>(
+              sel.authenticatorAttachment().get_uint8_t());
+      if (authenticatorAttachment == AuthenticatorAttachment::Platform) {
+        requirePlatformAttachment = true;
+      }
+    }
+
     // The U2F softtoken neither supports resident keys or
     // user verification, nor is it a platform authenticator.
-    if (sel.requireResidentKey() || sel.requireUserVerification() ||
-        sel.requirePlatformAttachment()) {
+    if (sel.requireResidentKey() || requireUserVerification ||
+        requirePlatformAttachment) {
       return U2FRegisterPromise::CreateAndReject(NS_ERROR_DOM_NOT_ALLOWED_ERR,
                                                  __func__);
     }
   }
 
   CryptoBuffer rpIdHash, clientDataHash;
   NS_ConvertUTF16toUTF8 rpId(aInfo.RpId());
   nsresult rv = BuildTransactionHashes(rpId, aInfo.ClientDataJSON(), rpIdHash,
@@ -771,18 +789,22 @@ RefPtr<U2FSignPromise> U2FSoftTokenManag
   }
 
   nsTArray<nsTArray<uint8_t>> appIds;
   appIds.AppendElement(rpIdHash);
 
   if (aInfo.Extra().type() != WebAuthnMaybeGetAssertionExtraInfo::Tnull_t) {
     const auto& extra = aInfo.Extra().get_WebAuthnGetAssertionExtraInfo();
 
+    UserVerificationRequirement userVerificaitonReq =
+        static_cast<UserVerificationRequirement>(
+            extra.userVerificationRequirement());
+
     // The U2F softtoken doesn't support user verification.
-    if (extra.RequireUserVerification()) {
+    if (userVerificaitonReq == UserVerificationRequirement::Required) {
       return U2FSignPromise::CreateAndReject(NS_ERROR_DOM_NOT_ALLOWED_ERR,
                                              __func__);
     }
 
     // Process extensions.
     for (const WebAuthnExtension& ext : extra.Extensions()) {
       if (ext.type() == WebAuthnExtension::TWebAuthnExtensionAppId) {
         appIds.AppendElement(ext.get_WebAuthnExtensionAppId().AppId());
--- a/dom/webauthn/U2FTokenManager.cpp
+++ b/dom/webauthn/U2FTokenManager.cpp
@@ -280,17 +280,23 @@ void U2FTokenManager::Register(
   mLastTransactionId = aTransactionId;
 
   // Determine whether direct attestation was requested.
   bool directAttestationRequested = false;
   if (aTransactionInfo.Extra().type() ==
       WebAuthnMaybeMakeCredentialExtraInfo::TWebAuthnMakeCredentialExtraInfo) {
     const auto& extra =
         aTransactionInfo.Extra().get_WebAuthnMakeCredentialExtraInfo();
-    directAttestationRequested = extra.RequestDirectAttestation();
+
+    AttestationConveyancePreference attestation =
+        static_cast<AttestationConveyancePreference>(
+            extra.attestationConveyancePreference());
+
+    directAttestationRequested =
+        attestation == AttestationConveyancePreference::Direct;
   }
 
   // Start a register request immediately if direct attestation
   // wasn't requested or the test pref is set.
   if (!directAttestationRequested ||
       U2FPrefManager::Get()->GetAllowDirectAttestationForTesting()) {
     // Force "none" attestation when "direct" attestation wasn't requested.
     DoRegister(aTransactionInfo, !directAttestationRequested);
--- a/dom/webauthn/WebAuthnManager.cpp
+++ b/dom/webauthn/WebAuthnManager.cpp
@@ -13,16 +13,20 @@
 #include "mozilla/dom/Promise.h"
 #include "mozilla/dom/PWebAuthnTransaction.h"
 #include "mozilla/dom/WebAuthnManager.h"
 #include "mozilla/dom/WebAuthnTransactionChild.h"
 #include "mozilla/dom/WebAuthnUtil.h"
 #include "mozilla/ipc/BackgroundChild.h"
 #include "mozilla/ipc/PBackgroundChild.h"
 
+#ifdef OS_WIN
+#include "WinWebAuthnManager.h"
+#endif
+
 using namespace mozilla::ipc;
 
 namespace mozilla {
 namespace dom {
 
 /***********************************************************************
  * Statics
  **********************************************************************/
@@ -219,23 +223,22 @@ already_AddRefed<Promise> WebAuthnManage
   if (NS_WARN_IF(rv.Failed())) {
     promise->MaybeReject(rv);
     return promise.forget();
   }
 
   // Enforce 5.4.3 User Account Parameters for Credential Generation
   // When we add UX, we'll want to do more with this value, but for now
   // we just have to verify its correctness.
-  {
-    CryptoBuffer userId;
-    userId.Assign(aOptions.mUser.mId);
-    if (userId.Length() > 64) {
-      promise->MaybeReject(NS_ERROR_DOM_TYPE_ERR);
-      return promise.forget();
-    }
+
+  CryptoBuffer userId;
+  userId.Assign(aOptions.mUser.mId);
+  if (userId.Length() > 64) {
+    promise->MaybeReject(NS_ERROR_DOM_TYPE_ERR);
+    return promise.forget();
   }
 
   // If timeoutSeconds was specified, check if its value lies within a
   // reasonable range as defined by the platform and if not, correct it to the
   // closest value lying within that range.
 
   uint32_t adjustedTimeout = 30000;
   if (aOptions.mTimeout.WasPassed()) {
@@ -263,18 +266,19 @@ already_AddRefed<Promise> WebAuthnManage
   if (aOptions.mExtensions.mAppid.WasPassed()) {
     promise->MaybeReject(NS_ERROR_DOM_NOT_SUPPORTED_ERR);
     return promise.forget();
   }
 
   // TODO: Move this logic into U2FTokenManager in Bug 1409220.
 
   // Process each element of mPubKeyCredParams using the following steps, to
-  // produce a new sequence acceptableParams.
+  // produce a new sequence coseAlgos.
   nsTArray<PublicKeyCredentialParameters> acceptableParams;
+  nsTArray<CoseAlg> coseAlgos;
   for (size_t a = 0; a < aOptions.mPubKeyCredParams.Length(); ++a) {
     // Let current be the currently selected element of
     // mPubKeyCredParams.
 
     // If current.type does not contain a PublicKeyCredentialType
     // supported by this implementation, then stop processing current and move
     // on to the next element in mPubKeyCredParams.
     if (aOptions.mPubKeyCredParams[a].mType !=
@@ -288,16 +292,17 @@ already_AddRefed<Promise> WebAuthnManage
       continue;
     }
 
     if (!acceptableParams.AppendElement(aOptions.mPubKeyCredParams[a],
                                         mozilla::fallible)) {
       promise->MaybeReject(NS_ERROR_OUT_OF_MEMORY);
       return promise.forget();
     }
+    coseAlgos.AppendElement(aOptions.mPubKeyCredParams[a].mAlg);
   }
 
   // If acceptableParams is empty and mPubKeyCredParams was not empty, cancel
   // the timer started in step 2, reject promise with a DOMException whose name
   // is "NotSupportedError", and terminate this algorithm.
   if (acceptableParams.IsEmpty() && !aOptions.mPubKeyCredParams.IsEmpty()) {
     promise->MaybeReject(NS_ERROR_DOM_NOT_SUPPORTED_ERR);
     return promise.forget();
@@ -349,43 +354,66 @@ already_AddRefed<Promise> WebAuthnManage
 
   // TODO: Add extension list building
   nsTArray<WebAuthnExtension> extensions;
 
   const auto& selection = aOptions.mAuthenticatorSelection;
   const auto& attachment = selection.mAuthenticatorAttachment;
   const AttestationConveyancePreference& attestation = aOptions.mAttestation;
 
-  // Does the RP require attachment == "platform"?
-  bool requirePlatformAttachment =
-      attachment.WasPassed() &&
-      attachment.Value() == AuthenticatorAttachment::Platform;
+  // Attachment
+  WebAuthnMaybeAuthenticatorAttachment authenticatorAttachment(
+      WebAuthnMaybeAuthenticatorAttachment::Tnull_t);
+  if (attachment.WasPassed()) {
+    authenticatorAttachment = WebAuthnMaybeAuthenticatorAttachment(
+        static_cast<uint8_t>(attachment.Value()));
+  }
 
-  // Does the RP require user verification?
-  bool requireUserVerification =
-      selection.mUserVerification == UserVerificationRequirement::Required;
-
-  // Does the RP desire direct attestation? Indirect attestation is not
-  // implemented, and thus is equivilent to None.
-  bool requestDirectAttestation =
-      attestation == AttestationConveyancePreference::Direct;
+  // User Verification
+  uint8_t userVerificationRequirement =
+      static_cast<uint8_t>(selection.mUserVerification);
 
   // Create and forward authenticator selection criteria.
   WebAuthnAuthenticatorSelection authSelection(selection.mRequireResidentKey,
-                                               requireUserVerification,
-                                               requirePlatformAttachment);
+                                               userVerificationRequirement,
+                                               authenticatorAttachment);
+
+  // aOptions.mAttestation
+  uint8_t attestationConveyancePreference = static_cast<uint8_t>(attestation);
+
+  nsString rpIcon;
+  if (aOptions.mRp.mIcon.WasPassed()) {
+    rpIcon = aOptions.mRp.mIcon.Value();
+  }
 
-  WebAuthnMakeCredentialExtraInfo extra(extensions, authSelection,
-                                        requestDirectAttestation);
+  nsString userIcon;
+  if (aOptions.mUser.mIcon.WasPassed()) {
+    userIcon = aOptions.mUser.mIcon.Value();
+  }
+
+  WebAuthnMakeCredentialRpInfo rpInfo(aOptions.mRp.mName, rpIcon);
+
+  WebAuthnMakeCredentialUserInfo userInfo(
+      userId, aOptions.mUser.mName, userIcon, aOptions.mUser.mDisplayName);
+
+  WebAuthnMakeCredentialExtraInfo extra(rpInfo, userInfo, coseAlgos, extensions,
+                                        authSelection,
+                                        attestationConveyancePreference);
 
   WebAuthnMakeCredentialInfo info(origin, NS_ConvertUTF8toUTF16(rpId),
                                   challenge, clientDataJSON, adjustedTimeout,
                                   excludeList, extra);
 
+#ifdef OS_WIN
+  if (!WinWebAuthnManager::AreWebAuthNApisAvailable()) {
+    ListenForVisibilityEvents();
+  }
+#else
   ListenForVisibilityEvents();
+#endif
 
   AbortSignal* signal = nullptr;
   if (aSignal.WasPassed()) {
     signal = &aSignal.Value();
     Follow(signal);
   }
 
   MOZ_ASSERT(mTransaction.isNothing());
@@ -493,32 +521,35 @@ already_AddRefed<Promise> WebAuthnManage
             transports |= U2F_AUTHENTICATOR_TRANSPORT_USB;
           }
           if (t == AuthenticatorTransport::Nfc) {
             transports |= U2F_AUTHENTICATOR_TRANSPORT_NFC;
           }
           if (t == AuthenticatorTransport::Ble) {
             transports |= U2F_AUTHENTICATOR_TRANSPORT_BLE;
           }
+          if (t == AuthenticatorTransport::Internal) {
+            transports |= CTAP_AUTHENTICATOR_TRANSPORT_INTERNAL;
+          }
         }
         c.transports() = transports;
       }
 
       allowList.AppendElement(c);
     }
   }
 
   if (!MaybeCreateBackgroundActor()) {
     promise->MaybeReject(NS_ERROR_DOM_OPERATION_ERR);
     return promise.forget();
   }
 
-  // Does the RP require user verification?
-  bool requireUserVerification =
-      aOptions.mUserVerification == UserVerificationRequirement::Required;
+  // User Verification
+  uint8_t userVerificationRequirement =
+      static_cast<uint8_t>(aOptions.mUserVerification);
 
   // If extensions were specified, process any extensions supported by this
   // client platform, to produce the extension data that needs to be sent to the
   // authenticator. If an error is encountered while processing an extension,
   // skip that extension and do not produce any extension data for it. Call the
   // result of this processing clientExtensions.
   nsTArray<WebAuthnExtension> extensions;
 
@@ -541,26 +572,32 @@ already_AddRefed<Promise> WebAuthnManage
     // We need the SHA-256 hash of the appId.
     srv = HashCString(NS_ConvertUTF16toUTF8(appId), appIdHash);
     if (NS_WARN_IF(NS_FAILED(srv))) {
       promise->MaybeReject(NS_ERROR_DOM_SECURITY_ERR);
       return promise.forget();
     }
 
     // Append the hash and send it to the backend.
-    extensions.AppendElement(WebAuthnExtensionAppId(appIdHash));
+    extensions.AppendElement(WebAuthnExtensionAppId(appIdHash, appId));
   }
 
-  WebAuthnGetAssertionExtraInfo extra(extensions, requireUserVerification);
+  WebAuthnGetAssertionExtraInfo extra(extensions, userVerificationRequirement);
 
   WebAuthnGetAssertionInfo info(origin, NS_ConvertUTF8toUTF16(rpId), challenge,
                                 clientDataJSON, adjustedTimeout, allowList,
                                 extra);
 
+#ifdef OS_WIN
+  if (!WinWebAuthnManager::AreWebAuthNApisAvailable()) {
+    ListenForVisibilityEvents();
+  }
+#else
   ListenForVisibilityEvents();
+#endif
 
   AbortSignal* signal = nullptr;
   if (aSignal.WasPassed()) {
     signal = &aSignal.Value();
     Follow(signal);
   }
 
   MOZ_ASSERT(mTransaction.isNothing());
--- a/dom/webauthn/WebAuthnTransactionParent.cpp
+++ b/dom/webauthn/WebAuthnTransactionParent.cpp
@@ -4,42 +4,82 @@
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #include "mozilla/dom/WebAuthnTransactionParent.h"
 #include "mozilla/dom/U2FTokenManager.h"
 #include "mozilla/ipc/PBackgroundParent.h"
 #include "mozilla/ipc/BackgroundParent.h"
 
+#ifdef OS_WIN
+#include "WinWebAuthnManager.h"
+#endif
+
 namespace mozilla {
 namespace dom {
 
 mozilla::ipc::IPCResult WebAuthnTransactionParent::RecvRequestRegister(
     const uint64_t& aTransactionId,
     const WebAuthnMakeCredentialInfo& aTransactionInfo) {
   AssertIsOnBackgroundThread();
+
+#ifdef OS_WIN
+  if (WinWebAuthnManager::AreWebAuthNApisAvailable()) {
+    WinWebAuthnManager* mgr = WinWebAuthnManager::Get();
+    mgr->Register(this, aTransactionId, aTransactionInfo);
+  } else {
+    U2FTokenManager* mgr = U2FTokenManager::Get();
+    mgr->Register(this, aTransactionId, aTransactionInfo);
+  }
+#else
   U2FTokenManager* mgr = U2FTokenManager::Get();
   mgr->Register(this, aTransactionId, aTransactionInfo);
+#endif
+
   return IPC_OK();
 }
 
 mozilla::ipc::IPCResult WebAuthnTransactionParent::RecvRequestSign(
     const uint64_t& aTransactionId,
     const WebAuthnGetAssertionInfo& aTransactionInfo) {
   AssertIsOnBackgroundThread();
+
+#ifdef OS_WIN
+  if (WinWebAuthnManager::AreWebAuthNApisAvailable()) {
+    WinWebAuthnManager* mgr = WinWebAuthnManager::Get();
+    mgr->Sign(this, aTransactionId, aTransactionInfo);
+  } else {
+    U2FTokenManager* mgr = U2FTokenManager::Get();
+    mgr->Sign(this, aTransactionId, aTransactionInfo);
+  }
+#else
   U2FTokenManager* mgr = U2FTokenManager::Get();
   mgr->Sign(this, aTransactionId, aTransactionInfo);
+#endif
+
   return IPC_OK();
 }
 
 mozilla::ipc::IPCResult WebAuthnTransactionParent::RecvRequestCancel(
     const uint64_t& aTransactionId) {
   AssertIsOnBackgroundThread();
+
+#ifdef OS_WIN
+  if (WinWebAuthnManager::AreWebAuthNApisAvailable()) {
+    WinWebAuthnManager* mgr = WinWebAuthnManager::Get();
+    mgr->Cancel(this, aTransactionId);
+  } else {
+    U2FTokenManager* mgr = U2FTokenManager::Get();
+    mgr->Cancel(this, aTransactionId);
+  }
+#else
   U2FTokenManager* mgr = U2FTokenManager::Get();
   mgr->Cancel(this, aTransactionId);
+#endif
+
   return IPC_OK();
 }
 
 mozilla::ipc::IPCResult WebAuthnTransactionParent::RecvDestroyMe() {
   AssertIsOnBackgroundThread();
 
   // The child was disconnected from the WebAuthnManager instance and will send
   // no further messages. It is kept alive until we delete it explicitly.
@@ -56,18 +96,31 @@ mozilla::ipc::IPCResult WebAuthnTransact
   return IPC_OK();
 }
 
 void WebAuthnTransactionParent::ActorDestroy(ActorDestroyReason aWhy) {
   AssertIsOnBackgroundThread();
 
   // Called either by Send__delete__() in RecvDestroyMe() above, or when
   // the channel disconnects. Ensure the token manager forgets about us.
+
+#ifdef OS_WIN
+  if (WinWebAuthnManager::AreWebAuthNApisAvailable()) {
+    WinWebAuthnManager* mgr = WinWebAuthnManager::Get();
+    if (mgr) {
+      mgr->MaybeClearTransaction(this);
+    }
+  } else {
+    U2FTokenManager* mgr = U2FTokenManager::Get();
+    if (mgr) {
+      mgr->MaybeClearTransaction(this);
+    }
+  }
+#else
   U2FTokenManager* mgr = U2FTokenManager::Get();
-
-  // The manager could probably be null on shutdown?
   if (mgr) {
     mgr->MaybeClearTransaction(this);
   }
+#endif
 }
 
 }  // namespace dom
 }  // namespace mozilla
new file mode 100644
--- /dev/null
+++ b/dom/webauthn/WinWebAuthnManager.cpp
@@ -0,0 +1,582 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this file,
+ * You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "mozilla/dom/PWebAuthnTransactionParent.h"
+#include "mozilla/MozPromise.h"
+#include "mozilla/ipc/BackgroundParent.h"
+#include "mozilla/ClearOnShutdown.h"
+#include "mozilla/Unused.h"
+#include "nsTextFormatter.h"
+#include "winwebauthn/webauthn.h"
+
+#ifdef OS_WIN
+#include "WinWebAuthnManager.h"
+#endif
+
+namespace mozilla {
+namespace dom {
+
+namespace {
+static mozilla::LazyLogModule gWinWebAuthnManagerLog("winwebauthnkeymanager");
+StaticAutoPtr<WinWebAuthnManager> gWinWebAuthnManager;
+static HMODULE gWinWebAuthnModule = 0;
+
+static decltype(WebAuthNIsUserVerifyingPlatformAuthenticatorAvailable)*
+    gWinWebauthnIsUVPAA = nullptr;
+static decltype(
+    WebAuthNAuthenticatorMakeCredential)* gWinWebauthnMakeCredential = nullptr;
+static decltype(
+    WebAuthNFreeCredentialAttestation)* gWinWebauthnFreeCredentialAttestation =
+    nullptr;
+static decltype(WebAuthNAuthenticatorGetAssertion)* gWinWebauthnGetAssertion =
+    nullptr;
+static decltype(WebAuthNFreeAssertion)* gWinWebauthnFreeAssertion = nullptr;
+static decltype(WebAuthNGetCancellationId)* gWinWebauthnGetCancellationId =
+    nullptr;
+static decltype(
+    WebAuthNCancelCurrentOperation)* gWinWebauthnCancelCurrentOperation =
+    nullptr;
+static decltype(WebAuthNGetErrorName)* gWinWebauthnGetErrorName = nullptr;
+static decltype(WebAuthNGetApiVersionNumber)* gWinWebauthnGetApiVersionNumber =
+    nullptr;
+
+}  // namespace
+
+/***********************************************************************
+ * WinWebAuthnManager Implementation
+ **********************************************************************/
+
+constexpr uint32_t kMinWinWebAuthNApiVersion = WEBAUTHN_API_VERSION_1;
+
+WinWebAuthnManager::WinWebAuthnManager() {
+  // Create on the main thread to make sure ClearOnShutdown() works.
+  MOZ_ASSERT(NS_IsMainThread());
+  MOZ_ASSERT(!gWinWebAuthnModule);
+
+  gWinWebAuthnModule = LoadLibrary(L"webauthn.dll");
+
+  if (gWinWebAuthnModule) {
+    gWinWebauthnIsUVPAA = reinterpret_cast<decltype(
+        WebAuthNIsUserVerifyingPlatformAuthenticatorAvailable)*>(
+        GetProcAddress(
+            gWinWebAuthnModule,
+            "WebAuthNIsUserVerifyingPlatformAuthenticatorAvailable"));
+    gWinWebauthnMakeCredential =
+        reinterpret_cast<decltype(WebAuthNAuthenticatorMakeCredential)*>(
+            GetProcAddress(gWinWebAuthnModule,
+                           "WebAuthNAuthenticatorMakeCredential"));
+    gWinWebauthnFreeCredentialAttestation =
+        reinterpret_cast<decltype(WebAuthNFreeCredentialAttestation)*>(
+            GetProcAddress(gWinWebAuthnModule,
+                           "WebAuthNFreeCredentialAttestation"));
+    gWinWebauthnGetAssertion =
+        reinterpret_cast<decltype(WebAuthNAuthenticatorGetAssertion)*>(
+            GetProcAddress(gWinWebAuthnModule,
+                           "WebAuthNAuthenticatorGetAssertion"));
+    gWinWebauthnFreeAssertion =
+        reinterpret_cast<decltype(WebAuthNFreeAssertion)*>(
+            GetProcAddress(gWinWebAuthnModule, "WebAuthNFreeAssertion"));
+    gWinWebauthnGetCancellationId =
+        reinterpret_cast<decltype(WebAuthNGetCancellationId)*>(
+            GetProcAddress(gWinWebAuthnModule, "WebAuthNGetCancellationId"));
+    gWinWebauthnCancelCurrentOperation =
+        reinterpret_cast<decltype(WebAuthNCancelCurrentOperation)*>(
+            GetProcAddress(gWinWebAuthnModule,
+                           "WebAuthNCancelCurrentOperation"));
+    gWinWebauthnGetErrorName =
+        reinterpret_cast<decltype(WebAuthNGetErrorName)*>(
+            GetProcAddress(gWinWebAuthnModule, "WebAuthNGetErrorName"));
+    gWinWebauthnGetApiVersionNumber =
+        reinterpret_cast<decltype(WebAuthNGetApiVersionNumber)*>(
+            GetProcAddress(gWinWebAuthnModule, "WebAuthNGetApiVersionNumber"));
+
+    if (gWinWebauthnIsUVPAA && gWinWebauthnMakeCredential &&
+        gWinWebauthnFreeCredentialAttestation && gWinWebauthnGetAssertion &&
+        gWinWebauthnFreeAssertion && gWinWebauthnGetCancellationId &&
+        gWinWebauthnCancelCurrentOperation && gWinWebauthnGetErrorName &&
+        gWinWebauthnGetApiVersionNumber) {
+      mWinWebAuthNApiVersion = gWinWebauthnGetApiVersionNumber();
+    }
+  }
+}
+
+WinWebAuthnManager::~WinWebAuthnManager() {
+  if (gWinWebAuthnModule) {
+    FreeLibrary(gWinWebAuthnModule);
+  }
+  gWinWebAuthnModule = 0;
+}
+
+// static
+void WinWebAuthnManager::Initialize() {
+  if (!gWinWebAuthnManager) {
+    gWinWebAuthnManager = new WinWebAuthnManager();
+    ClearOnShutdown(&gWinWebAuthnManager);
+  }
+}
+
+// static
+WinWebAuthnManager* WinWebAuthnManager::Get() {
+  MOZ_ASSERT(gWinWebAuthnManager);
+  return gWinWebAuthnManager;
+}
+
+uint32_t WinWebAuthnManager::GetWebAuthNApiVersion() {
+  return mWinWebAuthNApiVersion;
+}
+
+// static
+bool WinWebAuthnManager::AreWebAuthNApisAvailable() {
+  WinWebAuthnManager* mgr = WinWebAuthnManager::Get();
+  return mgr->GetWebAuthNApiVersion() >= kMinWinWebAuthNApiVersion;
+}
+
+bool WinWebAuthnManager::
+    IsUserVerifyingPlatformAuthenticatorAvailableInternal() {
+  BOOL isUVPAA = FALSE;
+  return (gWinWebauthnIsUVPAA(&isUVPAA) == S_OK && isUVPAA == TRUE);
+}
+
+// static
+bool WinWebAuthnManager::IsUserVerifyingPlatformAuthenticatorAvailable() {
+  if (WinWebAuthnManager::AreWebAuthNApisAvailable()) {
+    return WinWebAuthnManager::Get()
+        ->IsUserVerifyingPlatformAuthenticatorAvailableInternal();
+  }
+  return false;
+}
+
+void WinWebAuthnManager::AbortTransaction(const uint64_t& aTransactionId,
+                                          const nsresult& aError) {
+  Unused << mTransactionParent->SendAbort(aTransactionId, aError);
+  ClearTransaction();
+}
+
+void WinWebAuthnManager::MaybeClearTransaction(
+    PWebAuthnTransactionParent* aParent) {
+  // Only clear if we've been requested to do so by our current transaction
+  // parent.
+  if (mTransactionParent == aParent) {
+    ClearTransaction();
+  }
+}
+
+void WinWebAuthnManager::ClearTransaction() { mTransactionParent = nullptr; }
+
+void WinWebAuthnManager::Register(
+    PWebAuthnTransactionParent* aTransactionParent,
+    const uint64_t& aTransactionId, const WebAuthnMakeCredentialInfo& aInfo) {
+  MOZ_LOG(gWinWebAuthnManagerLog, LogLevel::Debug, ("WinWebAuthNRegister"));
+
+  ClearTransaction();
+  mTransactionParent = aTransactionParent;
+
+  const auto& extra = aInfo.Extra().get_WebAuthnMakeCredentialExtraInfo();
+
+  // RP Information
+  WEBAUTHN_RP_ENTITY_INFORMATION rpInformation = {
+      WEBAUTHN_RP_ENTITY_INFORMATION_CURRENT_VERSION, aInfo.RpId().get(),
+      extra.Rp().Name().get(), extra.Rp().Icon().get()};
+
+  // User Information
+  WEBAUTHN_USER_ENTITY_INFORMATION userInformation = {
+      WEBAUTHN_USER_ENTITY_INFORMATION_CURRENT_VERSION,
+      static_cast<DWORD>(extra.User().Id().Length()),
+      const_cast<unsigned char*>(extra.User().Id().Elements()),
+      extra.User().Name().get(),
+      extra.User().Icon().get(),
+      extra.User().DisplayName().get()};
+
+  // Algorithms
+  nsTArray<WEBAUTHN_COSE_CREDENTIAL_PARAMETER> coseParams;
+  for (const auto& coseAlg : extra.coseAlgs()) {
+    WEBAUTHN_COSE_CREDENTIAL_PARAMETER coseAlgorithm = {
+        WEBAUTHN_COSE_CREDENTIAL_PARAMETER_CURRENT_VERSION,
+        WEBAUTHN_CREDENTIAL_TYPE_PUBLIC_KEY, coseAlg.alg()};
+    coseParams.AppendElement(coseAlgorithm);
+  }
+  WEBAUTHN_COSE_CREDENTIAL_PARAMETERS WebAuthNCredentialParameters = {
+      static_cast<DWORD>(coseParams.Length()), coseParams.Elements()};
+
+  // Client Data
+  WEBAUTHN_CLIENT_DATA WebAuthNClientData = {
+      WEBAUTHN_CLIENT_DATA_CURRENT_VERSION, aInfo.ClientDataJSON().Length(),
+      (BYTE*)(aInfo.ClientDataJSON().get()), WEBAUTHN_HASH_ALGORITHM_SHA_256};
+
+  const auto& sel = extra.AuthenticatorSelection();
+
+  // User Verification Requirement
+  UserVerificationRequirement userVerificationReq =
+      static_cast<UserVerificationRequirement>(
+          sel.userVerificationRequirement());
+  DWORD winUserVerificationReq = WEBAUTHN_USER_VERIFICATION_REQUIREMENT_ANY;
+  switch (userVerificationReq) {
+    case UserVerificationRequirement::Required:
+      winUserVerificationReq = WEBAUTHN_USER_VERIFICATION_REQUIREMENT_REQUIRED;
+      break;
+    case UserVerificationRequirement::Preferred:
+      winUserVerificationReq = WEBAUTHN_USER_VERIFICATION_REQUIREMENT_PREFERRED;
+      break;
+    case UserVerificationRequirement::Discouraged:
+      winUserVerificationReq =
+          WEBAUTHN_USER_VERIFICATION_REQUIREMENT_DISCOURAGED;
+      break;
+    default:
+      winUserVerificationReq = WEBAUTHN_USER_VERIFICATION_REQUIREMENT_ANY;
+      break;
+  }
+
+  // Attachment
+  DWORD winAttachment = WEBAUTHN_AUTHENTICATOR_ATTACHMENT_ANY;
+  if (sel.authenticatorAttachment().type() ==
+      WebAuthnMaybeAuthenticatorAttachment::Tuint8_t) {
+    const AuthenticatorAttachment authenticatorAttachment =
+        static_cast<AuthenticatorAttachment>(
+            sel.authenticatorAttachment().get_uint8_t());
+    switch (authenticatorAttachment) {
+      case AuthenticatorAttachment::Platform:
+        winAttachment = WEBAUTHN_AUTHENTICATOR_ATTACHMENT_PLATFORM;
+        break;
+      case AuthenticatorAttachment::Cross_platform:
+        winAttachment = WEBAUTHN_AUTHENTICATOR_ATTACHMENT_CROSS_PLATFORM;
+        break;
+      default:
+        break;
+    }
+  }
+
+  // Resident Key
+  BOOL winRequireResidentKey = sel.requireResidentKey() ? TRUE : FALSE;
+
+  // AttestationConveyance
+  AttestationConveyancePreference attestation =
+      static_cast<AttestationConveyancePreference>(
+          extra.attestationConveyancePreference());
+  DWORD winAttestation = WEBAUTHN_ATTESTATION_CONVEYANCE_PREFERENCE_ANY;
+  switch (attestation) {
+    case AttestationConveyancePreference::Direct:
+      winAttestation = WEBAUTHN_ATTESTATION_CONVEYANCE_PREFERENCE_DIRECT;
+      break;
+    case AttestationConveyancePreference::Indirect:
+      winAttestation = WEBAUTHN_ATTESTATION_CONVEYANCE_PREFERENCE_INDIRECT;
+      break;
+    case AttestationConveyancePreference::None:
+      winAttestation = WEBAUTHN_ATTESTATION_CONVEYANCE_PREFERENCE_NONE;
+      break;
+    default:
+      winAttestation = WEBAUTHN_ATTESTATION_CONVEYANCE_PREFERENCE_ANY;
+      break;
+  }
+
+  // Exclude Credentials
+  nsTArray<WEBAUTHN_CREDENTIAL_EX> excludeCredentials;
+  WEBAUTHN_CREDENTIAL_EX* pExcludeCredentials = nullptr;
+  nsTArray<WEBAUTHN_CREDENTIAL_EX*> excludeCredentialsPtrs;
+  WEBAUTHN_CREDENTIAL_LIST excludeCredentialList = {0};
+  WEBAUTHN_CREDENTIAL_LIST* pExcludeCredentialList = nullptr;
+
+  for (auto& cred : aInfo.ExcludeList()) {
+    uint8_t transports = cred.transports();
+    DWORD winTransports = 0;
+    if (transports & U2F_AUTHENTICATOR_TRANSPORT_USB) {
+      winTransports |= WEBAUTHN_CTAP_TRANSPORT_USB;
+    }
+    if (transports & U2F_AUTHENTICATOR_TRANSPORT_NFC) {
+      winTransports |= WEBAUTHN_CTAP_TRANSPORT_NFC;
+    }
+    if (transports & U2F_AUTHENTICATOR_TRANSPORT_BLE) {
+      winTransports |= WEBAUTHN_CTAP_TRANSPORT_BLE;
+    }
+    if (transports & CTAP_AUTHENTICATOR_TRANSPORT_INTERNAL) {
+      winTransports |= WEBAUTHN_CTAP_TRANSPORT_INTERNAL;
+    }
+
+    WEBAUTHN_CREDENTIAL_EX credential = {
+        WEBAUTHN_CREDENTIAL_EX_CURRENT_VERSION,
+        static_cast<DWORD>(cred.id().Length()), (PBYTE)(cred.id().Elements()),
+        WEBAUTHN_CREDENTIAL_TYPE_PUBLIC_KEY, winTransports};
+    excludeCredentials.AppendElement(credential);
+  }
+
+  if (!excludeCredentials.IsEmpty()) {
+    pExcludeCredentials = excludeCredentials.Elements();
+    for (DWORD i = 0; i < excludeCredentials.Length(); i++) {
+      excludeCredentialsPtrs.AppendElement(&pExcludeCredentials[i]);
+    }
+    excludeCredentialList.cCredentials = excludeCredentials.Length();
+    excludeCredentialList.ppCredentials = excludeCredentialsPtrs.Elements();
+    pExcludeCredentialList = &excludeCredentialList;
+  }
+
+  // MakeCredentialOptions
+  WEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS WebAuthNCredentialOptions = {
+      WEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS_CURRENT_VERSION,
+      aInfo.TimeoutMS(),
+      {0, NULL},
+      {0, NULL},
+      winAttachment,
+      winRequireResidentKey,
+      winUserVerificationReq,
+      winAttestation,
+      0,     // Flags
+      NULL,  // CancellationId
+      pExcludeCredentialList};
+
+  GUID cancellationId = {0};
+  if (gWinWebauthnGetCancellationId(&cancellationId) == S_OK) {
+    WebAuthNCredentialOptions.pCancellationId = &cancellationId;
+    mCancellationIds.emplace(aTransactionId, &cancellationId);
+  }
+
+  WEBAUTHN_CREDENTIAL_ATTESTATION* pWebAuthNCredentialAttestation = nullptr;
+
+  // Bug 1518876: Get Window Handle from Content process for Windows WebAuthN
+  // APIs
+  HWND hWnd = GetForegroundWindow();
+
+  HRESULT hr = gWinWebauthnMakeCredential(
+      hWnd, &rpInformation, &userInformation, &WebAuthNCredentialParameters,
+      &WebAuthNClientData, &WebAuthNCredentialOptions,
+      &pWebAuthNCredentialAttestation);
+
+  mCancellationIds.erase(aTransactionId);
+
+  if (hr == S_OK) {
+    nsTArray<uint8_t> attObject;
+    attObject.AppendElements(
+        pWebAuthNCredentialAttestation->pbAttestationObject,
+        pWebAuthNCredentialAttestation->cbAttestationObject);
+
+    nsTArray<uint8_t> credentialId;
+    credentialId.AppendElements(pWebAuthNCredentialAttestation->pbCredentialId,
+                                pWebAuthNCredentialAttestation->cbCredentialId);
+
+    nsTArray<uint8_t> authenticatorData;
+    authenticatorData.AppendElements(
+        pWebAuthNCredentialAttestation->pbAuthenticatorData,
+        pWebAuthNCredentialAttestation->cbAuthenticatorData);
+
+    WebAuthnMakeCredentialResult result(aInfo.ClientDataJSON(), attObject,
+                                        credentialId, authenticatorData);
+
+    Unused << mTransactionParent->SendConfirmRegister(aTransactionId, result);
+    ClearTransaction();
+    gWinWebauthnFreeCredentialAttestation(pWebAuthNCredentialAttestation);
+
+  } else {
+    PCWSTR errorName = gWinWebauthnGetErrorName(hr);
+    nsresult aError = NS_ERROR_DOM_ABORT_ERR;
+
+    if (_wcsicmp(errorName, L"InvalidStateError") == 0) {
+      aError = NS_ERROR_DOM_INVALID_STATE_ERR;
+    } else if (_wcsicmp(errorName, L"ConstraintError") == 0 ||
+               _wcsicmp(errorName, L"UnknownError") == 0) {
+      aError = NS_ERROR_DOM_UNKNOWN_ERR;
+    } else if (_wcsicmp(errorName, L"NotSupportedError") == 0) {
+      aError = NS_ERROR_DOM_INVALID_STATE_ERR;
+    } else if (_wcsicmp(errorName, L"NotAllowedError") == 0) {
+      aError = NS_ERROR_DOM_NOT_ALLOWED_ERR;
+    }
+
+    MaybeAbortRegister(aTransactionId, aError);
+  }
+}
+
+void WinWebAuthnManager::MaybeAbortRegister(const uint64_t& aTransactionId,
+                                            const nsresult& aError) {
+  AbortTransaction(aTransactionId, aError);
+}
+
+void WinWebAuthnManager::Sign(PWebAuthnTransactionParent* aTransactionParent,
+                              const uint64_t& aTransactionId,
+                              const WebAuthnGetAssertionInfo& aInfo) {
+  MOZ_LOG(gWinWebAuthnManagerLog, LogLevel::Debug, ("WinWebAuthNSign"));
+
+  ClearTransaction();
+  mTransactionParent = aTransactionParent;
+
+  const auto& extra = aInfo.Extra().get_WebAuthnGetAssertionExtraInfo();
+
+  // AppId
+  BOOL bU2fAppIdUsed = FALSE;
+  BOOL* pbU2fAppIdUsed = nullptr;
+  PCWSTR winAppIdentifier = nullptr;
+
+  for (const WebAuthnExtension& ext : extra.Extensions()) {
+    if (ext.type() == WebAuthnExtension::TWebAuthnExtensionAppId) {
+      winAppIdentifier = ext.get_WebAuthnExtensionAppId().appIdentifier().get();
+      pbU2fAppIdUsed = &bU2fAppIdUsed;
+      break;
+    }
+  }
+
+  // Client Data
+  WEBAUTHN_CLIENT_DATA WebAuthNClientData = {
+      WEBAUTHN_CLIENT_DATA_CURRENT_VERSION, aInfo.ClientDataJSON().Length(),
+      (BYTE*)(aInfo.ClientDataJSON().get()), WEBAUTHN_HASH_ALGORITHM_SHA_256};
+
+  // User Verification Requirement
+  UserVerificationRequirement userVerificationReq =
+      static_cast<UserVerificationRequirement>(
+          extra.userVerificationRequirement());
+
+  DWORD winUserVerificationReq = WEBAUTHN_USER_VERIFICATION_REQUIREMENT_ANY;
+  switch (userVerificationReq) {
+    case UserVerificationRequirement::Required:
+      winUserVerificationReq = WEBAUTHN_USER_VERIFICATION_REQUIREMENT_REQUIRED;
+      break;
+    case UserVerificationRequirement::Preferred:
+      winUserVerificationReq = WEBAUTHN_USER_VERIFICATION_REQUIREMENT_PREFERRED;
+      break;
+    case UserVerificationRequirement::Discouraged:
+      winUserVerificationReq =
+          WEBAUTHN_USER_VERIFICATION_REQUIREMENT_DISCOURAGED;
+      break;
+    default:
+      winUserVerificationReq = WEBAUTHN_USER_VERIFICATION_REQUIREMENT_ANY;
+      break;
+  }
+
+  // allow Credentials
+  nsTArray<WEBAUTHN_CREDENTIAL_EX> allowCredentials;
+  WEBAUTHN_CREDENTIAL_EX* pAllowCredentials = nullptr;
+  nsTArray<WEBAUTHN_CREDENTIAL_EX*> allowCredentialsPtrs;
+  WEBAUTHN_CREDENTIAL_LIST allowCredentialList = {0};
+  WEBAUTHN_CREDENTIAL_LIST* pAllowCredentialList = nullptr;
+
+  for (auto& cred : aInfo.AllowList()) {
+    uint8_t transports = cred.transports();
+    DWORD winTransports = 0;
+    if (transports & U2F_AUTHENTICATOR_TRANSPORT_USB) {
+      winTransports |= WEBAUTHN_CTAP_TRANSPORT_USB;
+    }
+    if (transports & U2F_AUTHENTICATOR_TRANSPORT_NFC) {
+      winTransports |= WEBAUTHN_CTAP_TRANSPORT_NFC;
+    }
+    if (transports & U2F_AUTHENTICATOR_TRANSPORT_BLE) {
+      winTransports |= WEBAUTHN_CTAP_TRANSPORT_BLE;
+    }
+    if (transports & CTAP_AUTHENTICATOR_TRANSPORT_INTERNAL) {
+      winTransports |= WEBAUTHN_CTAP_TRANSPORT_INTERNAL;
+    }
+
+    WEBAUTHN_CREDENTIAL_EX credential = {
+        WEBAUTHN_CREDENTIAL_EX_CURRENT_VERSION,
+        static_cast<DWORD>(cred.id().Length()), (PBYTE)(cred.id().Elements()),
+        WEBAUTHN_CREDENTIAL_TYPE_PUBLIC_KEY, winTransports};
+    allowCredentials.AppendElement(credential);
+  }
+
+  if (allowCredentials.Length()) {
+    pAllowCredentials = allowCredentials.Elements();
+    for (DWORD i = 0; i < allowCredentials.Length(); i++) {
+      allowCredentialsPtrs.AppendElement(&pAllowCredentials[i]);
+    }
+    allowCredentialList.cCredentials = allowCredentials.Length();
+    allowCredentialList.ppCredentials = allowCredentialsPtrs.Elements();
+    pAllowCredentialList = &allowCredentialList;
+  }
+
+  WEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS WebAuthNAssertionOptions = {
+      WEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS_CURRENT_VERSION,
+      aInfo.TimeoutMS(),
+      {0, NULL},
+      {0, NULL},
+      WEBAUTHN_AUTHENTICATOR_ATTACHMENT_ANY,
+      winUserVerificationReq,
+      0,  // dwFlags
+      winAppIdentifier,
+      pbU2fAppIdUsed,
+      nullptr,  // pCancellationId
+      pAllowCredentialList,
+  };
+
+  GUID cancellationId = {0};
+  if (gWinWebauthnGetCancellationId(&cancellationId) == S_OK) {
+    WebAuthNAssertionOptions.pCancellationId = &cancellationId;
+    mCancellationIds.emplace(aTransactionId, &cancellationId);
+  }
+
+  PWEBAUTHN_ASSERTION pWebAuthNAssertion = nullptr;
+
+  // Bug 1518876: Get Window Handle from Content process for Windows WebAuthN
+  // APIs
+  HWND hWnd = GetForegroundWindow();
+
+  HRESULT hr =
+      gWinWebauthnGetAssertion(hWnd, aInfo.RpId().get(), &WebAuthNClientData,
+                               &WebAuthNAssertionOptions, &pWebAuthNAssertion);
+
+  mCancellationIds.erase(aTransactionId);
+
+  if (hr == S_OK) {
+    nsTArray<uint8_t> signature;
+    signature.AppendElements(pWebAuthNAssertion->pbSignature,
+                             pWebAuthNAssertion->cbSignature);
+
+    nsTArray<uint8_t> keyHandle;
+    keyHandle.AppendElements(pWebAuthNAssertion->Credential.pbId,
+                             pWebAuthNAssertion->Credential.cbId);
+
+    nsTArray<uint8_t> authenticatorData;
+    authenticatorData.AppendElements(pWebAuthNAssertion->pbAuthenticatorData,
+                                     pWebAuthNAssertion->cbAuthenticatorData);
+
+    nsTArray<WebAuthnExtensionResult> extensions;
+
+    if (pbU2fAppIdUsed && *pbU2fAppIdUsed) {
+      extensions.AppendElement(WebAuthnExtensionResultAppId(true));
+    }
+
+    WebAuthnGetAssertionResult result(aInfo.ClientDataJSON(), keyHandle,
+                                      signature, authenticatorData, extensions,
+                                      signature);
+
+    Unused << mTransactionParent->SendConfirmSign(aTransactionId, result);
+    ClearTransaction();
+
+    gWinWebauthnFreeAssertion(pWebAuthNAssertion);
+
+  } else {
+    PCWSTR errorName = gWinWebauthnGetErrorName(hr);
+    nsresult aError = NS_ERROR_DOM_ABORT_ERR;
+
+    if (_wcsicmp(errorName, L"InvalidStateError") == 0) {
+      aError = NS_ERROR_DOM_INVALID_STATE_ERR;
+    } else if (_wcsicmp(errorName, L"ConstraintError") == 0 ||
+               _wcsicmp(errorName, L"UnknownError") == 0) {
+      aError = NS_ERROR_DOM_UNKNOWN_ERR;
+    } else if (_wcsicmp(errorName, L"NotSupportedError") == 0) {
+      aError = NS_ERROR_DOM_INVALID_STATE_ERR;
+    } else if (_wcsicmp(errorName, L"NotAllowedError") == 0) {
+      aError = NS_ERROR_DOM_NOT_ALLOWED_ERR;
+    }
+
+    MaybeAbortSign(aTransactionId, aError);
+  }
+}
+
+void WinWebAuthnManager::MaybeAbortSign(const uint64_t& aTransactionId,
+                                        const nsresult& aError) {
+  AbortTransaction(aTransactionId, aError);
+}
+
+void WinWebAuthnManager::Cancel(PWebAuthnTransactionParent* aParent,
+                                const uint64_t& aTransactionId) {
+  if (mTransactionParent != aParent) {
+    return;
+  }
+
+  ClearTransaction();
+
+  auto iter = mCancellationIds.find(aTransactionId);
+  if (iter != mCancellationIds.end()) {
+    gWinWebauthnCancelCurrentOperation(iter->second);
+  }
+}
+
+}  // namespace dom
+}  // namespace mozilla
new file mode 100644
--- /dev/null
+++ b/dom/webauthn/WinWebAuthnManager.h
@@ -0,0 +1,54 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef mozilla_dom_WinWebAuthnManager_h
+#define mozilla_dom_WinWebAuthnManager_h
+
+#include "mozilla/dom/U2FTokenTransport.h"
+#include "mozilla/dom/PWebAuthnTransaction.h"
+
+namespace mozilla {
+namespace dom {
+
+class WebAuthnTransactionParent;
+
+class WinWebAuthnManager final {
+ public:
+  static WinWebAuthnManager* Get();
+  void Register(PWebAuthnTransactionParent* aTransactionParent,
+                const uint64_t& aTransactionId,
+                const WebAuthnMakeCredentialInfo& aTransactionInfo);
+  void Sign(PWebAuthnTransactionParent* aTransactionParent,
+            const uint64_t& aTransactionId,
+            const WebAuthnGetAssertionInfo& aTransactionInfo);
+  void Cancel(PWebAuthnTransactionParent* aTransactionParent,
+              const uint64_t& aTransactionId);
+  void MaybeClearTransaction(PWebAuthnTransactionParent* aParent);
+  static void Initialize();
+  static bool IsUserVerifyingPlatformAuthenticatorAvailable();
+  static bool AreWebAuthNApisAvailable();
+
+  WinWebAuthnManager();
+  ~WinWebAuthnManager();
+
+ private:
+  void AbortTransaction(const uint64_t& aTransactionId, const nsresult& aError);
+  void ClearTransaction();
+  void MaybeAbortRegister(const uint64_t& aTransactionId,
+                          const nsresult& aError);
+  void MaybeAbortSign(const uint64_t& aTransactionId, const nsresult& aError);
+  bool IsUserVerifyingPlatformAuthenticatorAvailableInternal();
+  uint32_t GetWebAuthNApiVersion();
+
+  PWebAuthnTransactionParent* mTransactionParent;
+  uint32_t mWinWebAuthNApiVersion = 0;
+  std::map<uint64_t, GUID*> mCancellationIds;
+};
+
+}  // namespace dom
+}  // namespace mozilla
+
+#endif  // mozilla_dom_WinWebAuthnManager_h
--- a/dom/webauthn/moz.build
+++ b/dom/webauthn/moz.build
@@ -27,16 +27,17 @@ EXPORTS.mozilla.dom += [
     'U2FTokenManager.h',
     'U2FTokenTransport.h',
     'WebAuthnCBORUtil.h',
     'WebAuthnManager.h',
     'WebAuthnManagerBase.h',
     'WebAuthnTransactionChild.h',
     'WebAuthnTransactionParent.h',
     'WebAuthnUtil.h',
+    'winwebauthn/webauthn.h',
 ]
 
 UNIFIED_SOURCES += [
     'AuthenticatorAssertionResponse.cpp',
     'AuthenticatorAttestationResponse.cpp',
     'AuthenticatorResponse.cpp',
     'cbor-cpp/src/encoder.cpp',
     'cbor-cpp/src/output_dynamic.cpp',
@@ -62,10 +63,18 @@ LOCAL_INCLUDES += [
     '/security/manager/ssl',
 ]
 
 if CONFIG['OS_ARCH'] == 'WINNT':
     OS_LIBS += [
         'hid',
     ]
 
+if CONFIG['OS_TARGET'] == 'WINNT':
+    EXPORTS.mozilla.dom += [
+        'WinWebAuthnManager.h',
+    ]
+    UNIFIED_SOURCES += [
+        'WinWebAuthnManager.cpp',
+    ]
+
 MOCHITEST_MANIFESTS += ['tests/mochitest.ini']
 BROWSER_CHROME_MANIFESTS += ['tests/browser/browser.ini']
--- a/dom/webauthn/u2f-hid-rs/src/u2fhid-capi.h
+++ b/dom/webauthn/u2f-hid-rs/src/u2fhid-capi.h
@@ -18,16 +18,17 @@ const uint8_t U2F_RESBUF_ID_APPID = 3;
 
 const uint64_t U2F_FLAG_REQUIRE_RESIDENT_KEY = 1;
 const uint64_t U2F_FLAG_REQUIRE_USER_VERIFICATION = 2;
 const uint64_t U2F_FLAG_REQUIRE_PLATFORM_ATTACHMENT = 4;
 
 const uint8_t U2F_AUTHENTICATOR_TRANSPORT_USB = 1;
 const uint8_t U2F_AUTHENTICATOR_TRANSPORT_NFC = 2;
 const uint8_t U2F_AUTHENTICATOR_TRANSPORT_BLE = 4;
+const uint8_t CTAP_AUTHENTICATOR_TRANSPORT_INTERNAL = 8;
 
 const uint8_t U2F_ERROR_UKNOWN = 1;
 const uint8_t U2F_ERROR_NOT_SUPPORTED = 2;
 const uint8_t U2F_ERROR_INVALID_STATE = 3;
 const uint8_t U2F_ERROR_CONSTRAINT = 4;
 const uint8_t U2F_ERROR_NOT_ALLOWED = 5;
 
 // NOTE: Preconditions
new file mode 100644
--- /dev/null
+++ b/dom/webauthn/winwebauthn/.gitignore
@@ -0,0 +1,330 @@
+## Ignore Visual Studio temporary files, build results, and
+## files generated by popular Visual Studio add-ons.
+##
+## Get latest from https://github.com/github/gitignore/blob/master/VisualStudio.gitignore
+
+# User-specific files
+*.suo
+*.user
+*.userosscache
+*.sln.docstates
+
+# User-specific files (MonoDevelop/Xamarin Studio)
+*.userprefs
+
+# Build results
+[Dd]ebug/
+[Dd]ebugPublic/
+[Rr]elease/
+[Rr]eleases/
+x64/
+x86/
+bld/
+[Bb]in/
+[Oo]bj/
+[Ll]og/
+
+# Visual Studio 2015/2017 cache/options directory
+.vs/
+# Uncomment if you have tasks that create the project's static files in wwwroot
+#wwwroot/
+
+# Visual Studio 2017 auto generated files
+Generated\ Files/
+
+# MSTest test Results
+[Tt]est[Rr]esult*/
+[Bb]uild[Ll]og.*
+
+# NUNIT
+*.VisualState.xml
+TestResult.xml
+
+# Build Results of an ATL Project
+[Dd]ebugPS/
+[Rr]eleasePS/
+dlldata.c
+
+# Benchmark Results
+BenchmarkDotNet.Artifacts/
+
+# .NET Core
+project.lock.json
+project.fragment.lock.json
+artifacts/
+**/Properties/launchSettings.json
+
+# StyleCop
+StyleCopReport.xml
+
+# Files built by Visual Studio
+*_i.c
+*_p.c
+*_i.h
+*.ilk
+*.meta
+*.obj
+*.iobj
+*.pch
+*.pdb
+*.ipdb
+*.pgc
+*.pgd
+*.rsp
+*.sbr
+*.tlb
+*.tli
+*.tlh
+*.tmp
+*.tmp_proj
+*.log
+*.vspscc
+*.vssscc
+.builds
+*.pidb
+*.svclog
+*.scc
+
+# Chutzpah Test files
+_Chutzpah*
+
+# Visual C++ cache files
+ipch/
+*.aps
+*.ncb
+*.opendb
+*.opensdf
+*.sdf
+*.cachefile
+*.VC.db
+*.VC.VC.opendb
+
+# Visual Studio profiler
+*.psess
+*.vsp
+*.vspx
+*.sap
+
+# Visual Studio Trace Files
+*.e2e
+
+# TFS 2012 Local Workspace
+$tf/
+
+# Guidance Automation Toolkit
+*.gpState
+
+# ReSharper is a .NET coding add-in
+_ReSharper*/
+*.[Rr]e[Ss]harper
+*.DotSettings.user
+
+# JustCode is a .NET coding add-in
+.JustCode
+
+# TeamCity is a build add-in
+_TeamCity*
+
+# DotCover is a Code Coverage Tool
+*.dotCover
+
+# AxoCover is a Code Coverage Tool
+.axoCover/*
+!.axoCover/settings.json
+
+# Visual Studio code coverage results
+*.coverage
+*.coveragexml
+
+# NCrunch
+_NCrunch_*
+.*crunch*.local.xml
+nCrunchTemp_*
+
+# MightyMoose
+*.mm.*
+AutoTest.Net/
+
+# Web workbench (sass)
+.sass-cache/
+
+# Installshield output folder
+[Ee]xpress/
+
+# DocProject is a documentation generator add-in
+DocProject/buildhelp/
+DocProject/Help/*.HxT
+DocProject/Help/*.HxC
+DocProject/Help/*.hhc
+DocProject/Help/*.hhk
+DocProject/Help/*.hhp
+DocProject/Help/Html2
+DocProject/Help/html
+
+# Click-Once directory
+publish/
+
+# Publish Web Output
+*.[Pp]ublish.xml
+*.azurePubxml
+# Note: Comment the next line if you want to checkin your web deploy settings,
+# but database connection strings (with potential passwords) will be unencrypted
+*.pubxml
+*.publishproj
+
+# Microsoft Azure Web App publish settings. Comment the next line if you want to
+# checkin your Azure Web App publish settings, but sensitive information contained
+# in these scripts will be unencrypted
+PublishScripts/
+
+# NuGet Packages
+*.nupkg
+# The packages folder can be ignored because of Package Restore
+**/[Pp]ackages/*
+# except build/, which is used as an MSBuild target.
+!**/[Pp]ackages/build/
+# Uncomment if necessary however generally it will be regenerated when needed
+#!**/[Pp]ackages/repositories.config
+# NuGet v3's project.json files produces more ignorable files
+*.nuget.props
+*.nuget.targets
+
+# Microsoft Azure Build Output
+csx/
+*.build.csdef
+
+# Microsoft Azure Emulator
+ecf/
+rcf/
+
+# Windows Store app package directories and files
+AppPackages/
+BundleArtifacts/
+Package.StoreAssociation.xml
+_pkginfo.txt
+*.appx
+
+# Visual Studio cache files
+# files ending in .cache can be ignored
+*.[Cc]ache
+# but keep track of directories ending in .cache
+!*.[Cc]ache/
+
+# Others
+ClientBin/
+~$*
+*~
+*.dbmdl
+*.dbproj.schemaview
+*.jfm
+*.pfx
+*.publishsettings
+orleans.codegen.cs
+
+# Including strong name files can present a security risk 
+# (https://github.com/github/gitignore/pull/2483#issue-259490424)
+#*.snk
+
+# Since there are multiple workflows, uncomment next line to ignore bower_components
+# (https://github.com/github/gitignore/pull/1529#issuecomment-104372622)
+#bower_components/
+
+# RIA/Silverlight projects
+Generated_Code/
+
+# Backup & report files from converting an old project file
+# to a newer Visual Studio version. Backup files are not needed,
+# because we have git ;-)
+_UpgradeReport_Files/
+Backup*/
+UpgradeLog*.XML
+UpgradeLog*.htm
+ServiceFabricBackup/
+*.rptproj.bak
+
+# SQL Server files
+*.mdf
+*.ldf
+*.ndf
+
+# Business Intelligence projects
+*.rdl.data
+*.bim.layout
+*.bim_*.settings
+*.rptproj.rsuser
+
+# Microsoft Fakes
+FakesAssemblies/
+
+# GhostDoc plugin setting file
+*.GhostDoc.xml
+
+# Node.js Tools for Visual Studio
+.ntvs_analysis.dat
+node_modules/
+
+# Visual Studio 6 build log
+*.plg
+
+# Visual Studio 6 workspace options file
+*.opt
+
+# Visual Studio 6 auto-generated workspace file (contains which files were open etc.)
+*.vbw
+
+# Visual Studio LightSwitch build output
+**/*.HTMLClient/GeneratedArtifacts
+**/*.DesktopClient/GeneratedArtifacts
+**/*.DesktopClient/ModelManifest.xml
+**/*.Server/GeneratedArtifacts
+**/*.Server/ModelManifest.xml
+_Pvt_Extensions
+
+# Paket dependency manager
+.paket/paket.exe
+paket-files/
+
+# FAKE - F# Make
+.fake/
+
+# JetBrains Rider
+.idea/
+*.sln.iml
+
+# CodeRush
+.cr/
+
+# Python Tools for Visual Studio (PTVS)
+__pycache__/
+*.pyc
+
+# Cake - Uncomment if you are using it
+# tools/**
+# !tools/packages.config
+
+# Tabs Studio
+*.tss
+
+# Telerik's JustMock configuration file
+*.jmconfig
+
+# BizTalk build output
+*.btp.cs
+*.btm.cs
+*.odx.cs
+*.xsd.cs
+
+# OpenCover UI analysis results
+OpenCover/
+
+# Azure Stream Analytics local run output 
+ASALocalRun/
+
+# MSBuild Binary and Structured Log
+*.binlog
+
+# NVidia Nsight GPU debugger configuration file
+*.nvuser
+
+# MFractors (Xamarin productivity tool) working folder 
+.mfractor/
new file mode 100644
--- /dev/null
+++ b/dom/webauthn/winwebauthn/LICENSE
@@ -0,0 +1,21 @@
+    MIT License
+
+    Copyright (c) Microsoft Corporation. All rights reserved.
+
+    Permission is hereby granted, free of charge, to any person obtaining a copy
+    of this software and associated documentation files (the "Software"), to deal
+    in the Software without restriction, including without limitation the rights
+    to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+    copies of the Software, and to permit persons to whom the Software is
+    furnished to do so, subject to the following conditions:
+
+    The above copyright notice and this permission notice shall be included in all
+    copies or substantial portions of the Software.
+
+    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+    IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+    AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+    LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+    OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+    SOFTWARE
new file mode 100644
--- /dev/null
+++ b/dom/webauthn/winwebauthn/README.md
@@ -0,0 +1,26 @@
+# Description
+
+This project includes Win32 headers for communicating to Windows Hello and external secruity keys as part of WebAuthN and CTAP specification.
+
+For more details about the standards, please follow these links:
+* WebAuthN: https://w3c.github.io/webauthn/
+* CTAP: https://fidoalliance.org/specs/fido-v2.0-id-20180227/fido-client-to-authenticator-protocol-v2.0-id-20180227.html
+
+
+# Having Issues?
+If you have any issues in adopting these APIs or need some clarification, please contact [FIDO OS Security Group](FIDOSEC@microsoft.com)
+
+
+# Contributing
+
+This project welcomes contributions and suggestions.  Most contributions require you to agree to a
+Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us
+the rights to use your contribution. For details, visit https://cla.microsoft.com.
+
+When you submit a pull request, a CLA-bot will automatically determine whether you need to provide
+a CLA and decorate the PR appropriately (e.g., label, comment). Simply follow the instructions
+provided by the bot. You will only need to do this once across all repos using our CLA.
+
+This project has adopted the [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/).
+For more information see the [Code of Conduct FAQ](https://opensource.microsoft.com/codeofconduct/faq/) or
+contact [opencode@microsoft.com](mailto:opencode@microsoft.com) with any additional questions or comments.
new file mode 100644
--- /dev/null
+++ b/dom/webauthn/winwebauthn/webauthn.h
@@ -0,0 +1,670 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+#ifndef __WEBAUTHN_H_
+#define __WEBAUTHN_H_
+
+#pragma once
+
+#include <winapifamily.h>
+
+#pragma region Desktop Family or OneCore Family
+#if WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_APP | WINAPI_PARTITION_SYSTEM)
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#ifndef WINAPI
+#define WINAPI __stdcall
+#endif
+
+#ifndef INITGUID
+#define INITGUID
+#include <guiddef.h>
+#undef INITGUID
+#else
+#include <guiddef.h>
+#endif
+
+//+------------------------------------------------------------------------------------------
+// API Version Information.
+// Caller should check for WebAuthNGetApiVersionNumber to check the presence of relevant APIs
+// and features for their usage.
+//-------------------------------------------------------------------------------------------
+
+#define WEBAUTHN_API_VERSION_1          1
+// WEBAUTHN_API_VERSION_1 : Baseline Version
+//      Data Structures and their sub versions:
+//          - WEBAUTHN_RP_ENTITY_INFORMATION                    :   1
+//          - WEBAUTHN_USER_ENTITY_INFORMATION                  :   1
+//          - WEBAUTHN_CLIENT_DATA                              :   1
+//          - WEBAUTHN_COSE_CREDENTIAL_PARAMETER                :   1
+//          - WEBAUTHN_COSE_CREDENTIAL_PARAMETERS               :   Not Applicable
+//          - WEBAUTHN_CREDENTIAL                               :   1
+//          - WEBAUTHN_CREDENTIALS                              :   Not Applicable
+//          - WEBAUTHN_CREDENTIAL_EX                            :   1
+//          - WEBAUTHN_CREDENTIAL_LIST                          :   Not Applicable
+//          - WEBAUTHN_EXTENSION                                :   Not Applicable
+//          - WEBAUTHN_EXTENSIONS                               :   Not Applicable
+//          - WEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS    :   3
+//          - WEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS      :   4
+//          - WEBAUTHN_COMMON_ATTESTATION                       :   1
+//          - WEBAUTHN_CREDENTIAL_ATTESTATION                   :   3
+//          - WEBAUTHN_ASSERTION                                :   1
+//      Extensions:
+//          - WEBAUTHN_EXTENSIONS_IDENTIFIER_HMAC_SECRET
+//      APIs:
+//          - WebAuthNGetApiVersionNumber
+//          - WebAuthNIsUserVerifyingPlatformAuthenticatorAvailable
+//          - WebAuthNAuthenticatorMakeCredential
+//          - WebAuthNAuthenticatorGetAssertion
+//          - WebAuthNFreeCredentialAttestation
+//          - WebAuthNFreeAssertion
+//          - WebAuthNGetCancellationId
+//          - WebAuthNCancelCurrentOperation
+//          - WebAuthNGetErrorName
+//          - WebAuthNGetW3CExceptionDOMError
+
+#define WEBAUTHN_API_CURRENT_VERSION    WEBAUTHN_API_VERSION_1
+
+//+------------------------------------------------------------------------------------------
+// Information about an RP Entity
+//-------------------------------------------------------------------------------------------
+
+#define WEBAUTHN_RP_ENTITY_INFORMATION_CURRENT_VERSION          1
+
+typedef struct _WEBAUTHN_RP_ENTITY_INFORMATION {
+    // Version of this structure, to allow for modifications in the future.
+    // This field is required and should be set to CURRENT_VERSION above.
+    DWORD dwVersion;
+
+    // Identifier for the RP. This field is required.
+    PCWSTR pwszId;
+
+    // Contains the friendly name of the Relying Party, such as "Acme Corporation", "Widgets Inc" or "Awesome Site".
+    // This field is required.
+    PCWSTR pwszName;
+
+    // Optional URL pointing to RP's logo. 
+    PCWSTR pwszIcon;
+} WEBAUTHN_RP_ENTITY_INFORMATION, *PWEBAUTHN_RP_ENTITY_INFORMATION;
+typedef const WEBAUTHN_RP_ENTITY_INFORMATION *PCWEBAUTHN_RP_ENTITY_INFORMATION;
+
+//+------------------------------------------------------------------------------------------
+// Information about an User Entity
+//-------------------------------------------------------------------------------------------
+#define WEBAUTHN_MAX_USER_ID_LENGTH                             64
+
+#define WEBAUTHN_USER_ENTITY_INFORMATION_CURRENT_VERSION        1
+
+typedef struct _WEBAUTHN_USER_ENTITY_INFORMATION {
+    // Version of this structure, to allow for modifications in the future.
+    // This field is required and should be set to CURRENT_VERSION above.
+    DWORD dwVersion;
+
+    // Identifier for the User. This field is required.
+    DWORD cbId;
+    _Field_size_bytes_(cbId)
+    PBYTE pbId;
+
+    // Contains a detailed name for this account, such as "john.p.smith@example.com".
+    PCWSTR pwszName;
+
+    // Optional URL that can be used to retrieve an image containing the user's current avatar,
+    // or a data URI that contains the image data.
+    PCWSTR pwszIcon;
+
+    // For User: Contains the friendly name associated with the user account by the Relying Party, such as "John P. Smith".
+    PCWSTR pwszDisplayName;
+} WEBAUTHN_USER_ENTITY_INFORMATION, *PWEBAUTHN_USER_ENTITY_INFORMATION;
+typedef const WEBAUTHN_USER_ENTITY_INFORMATION *PCWEBAUTHN_USER_ENTITY_INFORMATION;
+
+//+------------------------------------------------------------------------------------------
+// Information about client data.
+//-------------------------------------------------------------------------------------------
+
+#define WEBAUTHN_HASH_ALGORITHM_SHA_256                         L"SHA-256"
+#define WEBAUTHN_HASH_ALGORITHM_SHA_384                         L"SHA-384"
+#define WEBAUTHN_HASH_ALGORITHM_SHA_512                         L"SHA-512"
+
+#define WEBAUTHN_CLIENT_DATA_CURRENT_VERSION                    1
+
+typedef struct _WEBAUTHN_CLIENT_DATA {
+    // Version of this structure, to allow for modifications in the future.
+    // This field is required and should be set to CURRENT_VERSION above.
+    DWORD dwVersion;
+
+    // Size of the pbClientDataJSON field.
+    DWORD cbClientDataJSON;
+    // UTF-8 encoded JSON serialization of the client data.
+    _Field_size_bytes_(cbClientDataJSON)
+    PBYTE pbClientDataJSON;
+
+    // Hash algorithm ID used to hash the pbClientDataJSON field.
+    LPCWSTR pwszHashAlgId;
+} WEBAUTHN_CLIENT_DATA, *PWEBAUTHN_CLIENT_DATA;
+typedef const WEBAUTHN_CLIENT_DATA *PCWEBAUTHN_CLIENT_DATA;
+
+//+------------------------------------------------------------------------------------------
+// Information about credential parameters.
+//-------------------------------------------------------------------------------------------
+
+#define WEBAUTHN_CREDENTIAL_TYPE_PUBLIC_KEY                         L"public-key"
+
+#define WEBAUTHN_COSE_ALGORITHM_ECDSA_P256_WITH_SHA256             -7
+#define WEBAUTHN_COSE_ALGORITHM_ECDSA_P384_WITH_SHA384             -35
+#define WEBAUTHN_COSE_ALGORITHM_ECDSA_P521_WITH_SHA512             -36
+
+#define WEBAUTHN_COSE_ALGORITHM_RSASSA_PKCS1_V1_5_WITH_SHA256      -257
+#define WEBAUTHN_COSE_ALGORITHM_RSASSA_PKCS1_V1_5_WITH_SHA384      -258
+#define WEBAUTHN_COSE_ALGORITHM_RSASSA_PKCS1_V1_5_WITH_SHA512      -259
+
+#define WEBAUTHN_COSE_ALGORITHM_RSA_PSS_WITH_SHA256                -37
+#define WEBAUTHN_COSE_ALGORITHM_RSA_PSS_WITH_SHA384                -38
+#define WEBAUTHN_COSE_ALGORITHM_RSA_PSS_WITH_SHA512                -39
+
+#define WEBAUTHN_COSE_CREDENTIAL_PARAMETER_CURRENT_VERSION          1
+
+typedef struct _WEBAUTHN_COSE_CREDENTIAL_PARAMETER {
+    // Version of this structure, to allow for modifications in the future.
+    DWORD dwVersion;
+
+    // Well-known credential type specifying a credential to create.
+    LPCWSTR pwszCredentialType;
+
+    // Well-known COSE algorithm specifying the algorithm to use for the credential.
+    LONG lAlg;
+} WEBAUTHN_COSE_CREDENTIAL_PARAMETER, *PWEBAUTHN_COSE_CREDENTIAL_PARAMETER;
+typedef const WEBAUTHN_COSE_CREDENTIAL_PARAMETER *PCWEBAUTHN_COSE_CREDENTIAL_PARAMETER;
+
+typedef struct _WEBAUTHN_COSE_CREDENTIAL_PARAMETERS {
+    DWORD cCredentialParameters;
+    _Field_size_(cCredentialParameters)
+    PWEBAUTHN_COSE_CREDENTIAL_PARAMETER pCredentialParameters;
+} WEBAUTHN_COSE_CREDENTIAL_PARAMETERS, *PWEBAUTHN_COSE_CREDENTIAL_PARAMETERS;
+typedef const WEBAUTHN_COSE_CREDENTIAL_PARAMETERS *PCWEBAUTHN_COSE_CREDENTIAL_PARAMETERS;
+
+//+------------------------------------------------------------------------------------------
+// Information about credential.
+//-------------------------------------------------------------------------------------------
+#define WEBAUTHN_CREDENTIAL_CURRENT_VERSION                         1
+
+typedef struct _WEBAUTHN_CREDENTIAL {
+    // Version of this structure, to allow for modifications in the future.
+    DWORD dwVersion;
+
+    // Size of pbID.
+    DWORD cbId;
+    // Unique ID for this particular credential.
+    _Field_size_bytes_(cbId)
+    PBYTE pbId;
+
+    // Well-known credential type specifying what this particular credential is.
+    LPCWSTR pwszCredentialType;
+} WEBAUTHN_CREDENTIAL, *PWEBAUTHN_CREDENTIAL;
+typedef const WEBAUTHN_CREDENTIAL *PCWEBAUTHN_CREDENTIAL;
+
+typedef struct _WEBAUTHN_CREDENTIALS {
+    DWORD cCredentials;
+    _Field_size_(cCredentials)
+    PWEBAUTHN_CREDENTIAL pCredentials;
+} WEBAUTHN_CREDENTIALS, *PWEBAUTHN_CREDENTIALS;
+typedef const WEBAUTHN_CREDENTIALS *PCWEBAUTHN_CREDENTIALS;
+
+//+------------------------------------------------------------------------------------------
+// Information about credential with extra information, such as, dwTransports
+//-------------------------------------------------------------------------------------------
+
+#define WEBAUTHN_CTAP_TRANSPORT_USB         0x00000001
+#define WEBAUTHN_CTAP_TRANSPORT_NFC         0x00000002
+#define WEBAUTHN_CTAP_TRANSPORT_BLE         0x00000004
+#define WEBAUTHN_CTAP_TRANSPORT_TEST        0x00000008
+#define WEBAUTHN_CTAP_TRANSPORT_INTERNAL    0x00000010
+#define WEBAUTHN_CTAP_TRANSPORT_FLAGS_MASK  0x0000001F
+
+#define WEBAUTHN_CREDENTIAL_EX_CURRENT_VERSION                         1
+
+typedef struct _WEBAUTHN_CREDENTIAL_EX {
+    // Version of this structure, to allow for modifications in the future.
+    DWORD dwVersion;
+
+    // Size of pbID.
+    DWORD cbId;
+    // Unique ID for this particular credential.
+    _Field_size_bytes_(cbId)
+    PBYTE pbId;
+
+    // Well-known credential type specifying what this particular credential is.
+    LPCWSTR pwszCredentialType;
+
+    // Transports. 0 implies no transport restrictions.
+    DWORD dwTransports;
+} WEBAUTHN_CREDENTIAL_EX, *PWEBAUTHN_CREDENTIAL_EX;
+typedef const WEBAUTHN_CREDENTIAL_EX *PCWEBAUTHN_CREDENTIAL_EX;
+
+//+------------------------------------------------------------------------------------------
+// Information about credential list with extra information
+//-------------------------------------------------------------------------------------------
+
+typedef struct _WEBAUTHN_CREDENTIAL_LIST {
+    DWORD cCredentials;
+    _Field_size_(cCredentials)
+    PWEBAUTHN_CREDENTIAL_EX *ppCredentials;
+} WEBAUTHN_CREDENTIAL_LIST, *PWEBAUTHN_CREDENTIAL_LIST;
+typedef const WEBAUTHN_CREDENTIAL_LIST *PCWEBAUTHN_CREDENTIAL_LIST;
+
+//+------------------------------------------------------------------------------------------
+// Hmac-Secret extension
+//-------------------------------------------------------------------------------------------
+
+#define WEBAUTHN_EXTENSIONS_IDENTIFIER_HMAC_SECRET                  L"hmac-secret"
+// Below type definitions is for WEBAUTHN_EXTENSIONS_IDENTIFIER_HMAC_SECRET
+// MakeCredential Input Type:   BOOL.
+//      - pvExtension must point to a BOOL with the value TRUE.
+//      - cbExtension must contain the sizeof(BOOL).
+// MakeCredential Output Type:  BOOL.
+//      - pvExtension will point to a BOOL with the value TRUE if credential
+//        was successfully created with HMAC_SECRET.
+//      - cbExtension will contain the sizeof(BOOL).
+// GetAssertion Input Type:     Not Supported
+// GetAssertion Output Type:    Not Supported
+
+//+------------------------------------------------------------------------------------------
+// Information about Extensions.
+//-------------------------------------------------------------------------------------------
+typedef struct _WEBAUTHN_EXTENSION {
+    LPCWSTR pwszExtensionIdentifier;
+    DWORD cbExtension;
+    PVOID pvExtension;
+} WEBAUTHN_EXTENSION, *PWEBAUTHN_EXTENSION;
+typedef const WEBAUTHN_EXTENSION *PCWEBAUTHN_EXTENSION;
+
+typedef struct _WEBAUTHN_EXTENSIONS {
+    DWORD cExtensions;
+    _Field_size_(cExtensions)
+    PWEBAUTHN_EXTENSION pExtensions;
+} WEBAUTHN_EXTENSIONS, *PWEBAUTHN_EXTENSIONS;
+typedef const WEBAUTHN_EXTENSIONS *PCWEBAUTHN_EXTENSIONS;
+
+//+------------------------------------------------------------------------------------------
+// Options.
+//-------------------------------------------------------------------------------------------
+
+#define WEBAUTHN_AUTHENTICATOR_ATTACHMENT_ANY                               0
+#define WEBAUTHN_AUTHENTICATOR_ATTACHMENT_PLATFORM                          1
+#define WEBAUTHN_AUTHENTICATOR_ATTACHMENT_CROSS_PLATFORM                    2
+#define WEBAUTHN_AUTHENTICATOR_ATTACHMENT_CROSS_PLATFORM_U2F_V2             3
+
+#define WEBAUTHN_USER_VERIFICATION_REQUIREMENT_ANY                          0
+#define WEBAUTHN_USER_VERIFICATION_REQUIREMENT_REQUIRED                     1
+#define WEBAUTHN_USER_VERIFICATION_REQUIREMENT_PREFERRED                    2
+#define WEBAUTHN_USER_VERIFICATION_REQUIREMENT_DISCOURAGED                  3
+
+#define WEBAUTHN_ATTESTATION_CONVEYANCE_PREFERENCE_ANY                      0
+#define WEBAUTHN_ATTESTATION_CONVEYANCE_PREFERENCE_NONE                     1
+#define WEBAUTHN_ATTESTATION_CONVEYANCE_PREFERENCE_INDIRECT                 2
+#define WEBAUTHN_ATTESTATION_CONVEYANCE_PREFERENCE_DIRECT                   3
+
+#define WEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS_VERSION_1            1
+#define WEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS_VERSION_2            2
+#define WEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS_VERSION_3            3
+#define WEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS_CURRENT_VERSION      WEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS_VERSION_3
+
+typedef struct _WEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS {
+    // Version of this structure, to allow for modifications in the future.
+    DWORD dwVersion;
+
+    // Time that the operation is expected to complete within.
+    // This is used as guidance, and can be overridden by the platform.
+    DWORD dwTimeoutMilliseconds;
+
+    // Credentials used for exclusion.
+    WEBAUTHN_CREDENTIALS CredentialList;
+
+    // Optional extensions to parse when performing the operation.
+    WEBAUTHN_EXTENSIONS Extensions;
+
+    // Optional. Platform vs Cross-Platform Authenticators.
+    DWORD dwAuthenticatorAttachment;
+
+    // Optional. Require key to be resident or not. Defaulting to FALSE;
+    BOOL bRequireResidentKey;
+
+    // User Verification Requirement.
+    DWORD dwUserVerificationRequirement;
+
+    // Attestation Conveyance Preference.
+    DWORD dwAttestationConveyancePreference;
+
+    // Reserved for future Use
+    DWORD dwFlags;
+
+    //
+    // The following fields have been added in WEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS_VERSION_2
+    //
+
+    // Cancellation Id - Optional - See WebAuthNGetCancellationId
+    GUID *pCancellationId;
+
+    //
+    // The following fields have been added in WEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS_VERSION_3
+    //
+
+    // Exclude Credential List. If present, "CredentialList" will be ignored.
+    PWEBAUTHN_CREDENTIAL_LIST pExcludeCredentialList;
+
+} WEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS, *PWEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS;
+typedef const WEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS *PCWEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS;
+
+
+#define WEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS_VERSION_1          1
+#define WEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS_VERSION_2          2
+#define WEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS_VERSION_3          3
+#define WEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS_VERSION_4          4
+#define WEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS_CURRENT_VERSION    WEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS_VERSION_4
+
+typedef struct _WEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS {
+    // Version of this structure, to allow for modifications in the future.
+    DWORD dwVersion;
+
+    // Time that the operation is expected to complete within.
+    // This is used as guidance, and can be overridden by the platform.
+    DWORD dwTimeoutMilliseconds;
+
+    // Allowed Credentials List.
+    WEBAUTHN_CREDENTIALS CredentialList;
+
+    // Optional extensions to parse when performing the operation.
+    WEBAUTHN_EXTENSIONS Extensions;
+
+    // Optional. Platform vs Cross-Platform Authenticators.
+    DWORD dwAuthenticatorAttachment;
+
+    // User Verification Requirement.
+    DWORD dwUserVerificationRequirement;
+
+    // Reserved for future Use
+    DWORD dwFlags;
+
+    //
+    // The following fields have been added in WEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS_VERSION_2
+    //
+
+    // Optional identifier for the U2F AppId. Converted to UTF8 before being hashed. Not lower cased.
+    PCWSTR pwszU2fAppId;
+
+    // If the following is non-NULL, then, set to TRUE if the above pwszU2fAppid was used instead of
+    // PCWSTR pwszRpId;
+    BOOL *pbU2fAppId;
+
+    //
+    // The following fields have been added in WEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS_VERSION_3
+    //
+
+    // Cancellation Id - Optional - See WebAuthNGetCancellationId
+    GUID *pCancellationId;
+
+    //
+    // The following fields have been added in WEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS_VERSION_4
+    //
+
+    // Allow Credential List. If present, "CredentialList" will be ignored.
+    PWEBAUTHN_CREDENTIAL_LIST pAllowCredentialList;
+
+} WEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS,  *PWEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS;
+typedef const WEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS  *PCWEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS;
+
+
+//+------------------------------------------------------------------------------------------
+// Attestation Info.
+//
+//-------------------------------------------------------------------------------------------
+#define WEBAUTHN_ATTESTATION_DECODE_NONE                                0
+#define WEBAUTHN_ATTESTATION_DECODE_COMMON                              1
+// WEBAUTHN_ATTESTATION_DECODE_COMMON supports format types
+//  L"packed"
+//  L"fido-u2f"
+
+#define WEBAUTHN_ATTESTATION_VER_TPM_2_0   L"2.0"
+
+typedef struct _WEBAUTHN_X5C {
+    // Length of X.509 encoded certificate
+    DWORD cbData;
+    // X.509 encoded certificate bytes
+    _Field_size_bytes_(cbData)
+    PBYTE pbData;
+} WEBAUTHN_X5C, *PWEBAUTHN_X5C;
+
+// Supports either Self or Full Basic Attestation
+
+// Note, new fields will be added to the following data structure to
+// support additional attestation format types, such as, TPM.
+// When fields are added, the dwVersion will be incremented.
+//
+// Therefore, your code must make the following check:
+//  "if (dwVersion >= WEBAUTHN_COMMON_ATTESTATION_CURRENT_VERSION)"
+
+#define WEBAUTHN_COMMON_ATTESTATION_CURRENT_VERSION                     1
+
+typedef struct _WEBAUTHN_COMMON_ATTESTATION {
+    // Version of this structure, to allow for modifications in the future.
+    DWORD dwVersion;
+
+    // Hash and Padding Algorithm
+    //
+    // The following won't be set for "fido-u2f" which assumes "ES256".
+    PCWSTR pwszAlg;
+    LONG lAlg;      // COSE algorithm
+
+    // Signature that was generated for this attestation.
+    DWORD cbSignature;
+    _Field_size_bytes_(cbSignature)
+    PBYTE pbSignature;
+
+    // Following is set for Full Basic Attestation. If not, set then, this is Self Attestation.
+    // Array of X.509 DER encoded certificates. The first certificate is the signer, leaf certificate.
+    DWORD cX5c;
+    _Field_size_(cX5c)
+    PWEBAUTHN_X5C pX5c;
+
+    // Following are also set for tpm
+    PCWSTR pwszVer; // L"2.0"
+    DWORD cbCertInfo;
+    _Field_size_bytes_(cbCertInfo)
+    PBYTE pbCertInfo;
+    DWORD cbPubArea;
+    _Field_size_bytes_(cbPubArea)
+    PBYTE pbPubArea;
+} WEBAUTHN_COMMON_ATTESTATION, *PWEBAUTHN_COMMON_ATTESTATION;
+typedef const WEBAUTHN_COMMON_ATTESTATION *PCWEBAUTHN_COMMON_ATTESTATION;
+
+#define WEBAUTHN_ATTESTATION_TYPE_PACKED                                L"packed"
+#define WEBAUTHN_ATTESTATION_TYPE_U2F                                   L"fido-u2f"
+#define WEBAUTHN_ATTESTATION_TYPE_TPM                                   L"tpm"
+#define WEBAUTHN_ATTESTATION_TYPE_NONE                                  L"none"
+
+#define WEBAUTHN_CREDENTIAL_ATTESTATION_VERSION_1               1
+#define WEBAUTHN_CREDENTIAL_ATTESTATION_VERSION_2               2
+#define WEBAUTHN_CREDENTIAL_ATTESTATION_VERSION_3               3
+#define WEBAUTHN_CREDENTIAL_ATTESTATION_CURRENT_VERSION         WEBAUTHN_CREDENTIAL_ATTESTATION_VERSION_3
+
+typedef struct _WEBAUTHN_CREDENTIAL_ATTESTATION {
+    // Version of this structure, to allow for modifications in the future.
+    DWORD dwVersion;
+
+    // Attestation format type
+    PCWSTR pwszFormatType;
+
+    // Size of cbAuthenticatorData.
+    DWORD cbAuthenticatorData;
+    // Authenticator data that was created for this credential.
+    _Field_size_bytes_(cbAuthenticatorData)
+    PBYTE pbAuthenticatorData;
+
+    // Size of CBOR encoded attestation information
+    //0 => encoded as CBOR null value.
+    DWORD cbAttestation;
+    //Encoded CBOR attestation information
+    _Field_size_bytes_(cbAttestation)
+    PBYTE pbAttestation;
+
+    DWORD dwAttestationDecodeType;
+    // Following depends on the dwAttestationDecodeType
+    //  WEBAUTHN_ATTESTATION_DECODE_NONE
+    //      NULL - not able to decode the CBOR attestation information
+    //  WEBAUTHN_ATTESTATION_DECODE_COMMON
+    //      PWEBAUTHN_COMMON_ATTESTATION;
+    PVOID pvAttestationDecode;
+
+    // The CBOR encoded Attestation Object to be returned to the RP.
+    DWORD cbAttestationObject;
+    _Field_size_bytes_(cbAttestationObject)
+    PBYTE pbAttestationObject;
+
+    // The CredentialId bytes extracted from the Authenticator Data.
+    // Used by Edge to return to the RP.
+    DWORD cbCredentialId;
+    _Field_size_bytes_(cbCredentialId)
+    PBYTE pbCredentialId;
+
+    //
+    // Following fields have been added in WEBAUTHN_CREDENTIAL_ATTESTATION_VERSION_2
+    //
+
+    WEBAUTHN_EXTENSIONS Extensions;
+
+    //
+    // Following fields have been added in WEBAUTHN_CREDENTIAL_ATTESTATION_VERSION_3
+    //
+
+    // One of the WEBAUTHN_CTAP_TRANSPORT_* bits will be set corresponding to
+    // the transport that was used.
+    DWORD dwUsedTransport;
+
+} WEBAUTHN_CREDENTIAL_ATTESTATION, *PWEBAUTHN_CREDENTIAL_ATTESTATION;
+typedef const WEBAUTHN_CREDENTIAL_ATTESTATION *PCWEBAUTHN_CREDENTIAL_ATTESTATION;
+
+
+//+------------------------------------------------------------------------------------------
+// authenticatorGetAssertion output.
+//-------------------------------------------------------------------------------------------
+
+#define WEBAUTHN_ASSERTION_CURRENT_VERSION                              1
+
+typedef struct _WEBAUTHN_ASSERTION {
+    // Version of this structure, to allow for modifications in the future.
+    DWORD dwVersion;
+
+    // Size of cbAuthenticatorData.
+    DWORD cbAuthenticatorData;
+    // Authenticator data that was created for this assertion.
+    _Field_size_bytes_(cbAuthenticatorData)
+    PBYTE pbAuthenticatorData;
+
+    // Size of pbSignature.
+    DWORD cbSignature;
+    // Signature that was generated for this assertion.
+    _Field_size_bytes_(cbSignature)
+    PBYTE pbSignature;
+
+    // Credential that was used for this assertion.
+    WEBAUTHN_CREDENTIAL Credential;
+
+    // Size of User Id
+    DWORD cbUserId;
+    // UserId
+    _Field_size_bytes_(cbUserId)
+    PBYTE pbUserId;
+} WEBAUTHN_ASSERTION, *PWEBAUTHN_ASSERTION;
+typedef const WEBAUTHN_ASSERTION *PCWEBAUTHN_ASSERTION;
+
+//+------------------------------------------------------------------------------------------
+// APIs.
+//-------------------------------------------------------------------------------------------
+
+DWORD
+WINAPI
+WebAuthNGetApiVersionNumber();
+
+HRESULT
+WINAPI
+WebAuthNIsUserVerifyingPlatformAuthenticatorAvailable(
+    _Out_ BOOL *pbIsUserVerifyingPlatformAuthenticatorAvailable);
+
+
+HRESULT
+WINAPI
+WebAuthNAuthenticatorMakeCredential(
+    _In_        HWND                                                hWnd,
+    _In_        PCWEBAUTHN_RP_ENTITY_INFORMATION                    pRpInformation,
+    _In_        PCWEBAUTHN_USER_ENTITY_INFORMATION                  pUserInformation,
+    _In_        PCWEBAUTHN_COSE_CREDENTIAL_PARAMETERS               pPubKeyCredParams,
+    _In_        PCWEBAUTHN_CLIENT_DATA                              pWebAuthNClientData,
+    _In_opt_    PCWEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS    pWebAuthNMakeCredentialOptions,
+    _Outptr_result_maybenull_ PWEBAUTHN_CREDENTIAL_ATTESTATION      *ppWebAuthNCredentialAttestation);
+
+
+HRESULT
+WINAPI
+WebAuthNAuthenticatorGetAssertion(
+    _In_        HWND                                                hWnd,
+    _In_        LPCWSTR                                             pwszRpId,
+    _In_        PCWEBAUTHN_CLIENT_DATA                              pWebAuthNClientData,
+    _In_opt_    PCWEBAUTHN_AUTHENTICATOR_GET_ASSERTION_OPTIONS      pWebAuthNGetAssertionOptions,
+    _Outptr_result_maybenull_ PWEBAUTHN_ASSERTION                   *ppWebAuthNAssertion);
+
+void
+WINAPI
+WebAuthNFreeCredentialAttestation(
+    _In_opt_ PWEBAUTHN_CREDENTIAL_ATTESTATION pWebAuthNCredentialAttestation);
+
+void
+WINAPI
+WebAuthNFreeAssertion(
+    _In_ PWEBAUTHN_ASSERTION pWebAuthNAssertion);
+
+HRESULT
+WINAPI
+WebAuthNGetCancellationId(
+    _Out_ GUID* pCancellationId);
+
+HRESULT
+WINAPI
+WebAuthNCancelCurrentOperation(
+    _In_ const GUID* pCancellationId);
+
+//
+// Returns the following Error Names:
+//  L"Success"              - S_OK
+//  L"InvalidStateError"    - NTE_EXISTS
+//  L"ConstraintError"      - HRESULT_FROM_WIN32(ERROR_NOT_SUPPORTED),
+//                            NTE_NOT_SUPPORTED,
+//                            NTE_TOKEN_KEYSET_STORAGE_FULL
+//  L"NotSupportedError"    - NTE_INVALID_PARAMETER
+//  L"NotAllowedError"      - NTE_DEVICE_NOT_FOUND,
+//                            NTE_NOT_FOUND,
+//                            HRESULT_FROM_WIN32(ERROR_CANCELLED),
+//                            NTE_USER_CANCELLED,
+//                            HRESULT_FROM_WIN32(ERROR_TIMEOUT)
+//  L"UnknownError"         - All other hr values
+//
+PCWSTR
+WINAPI
+WebAuthNGetErrorName(
+    _In_ HRESULT hr);
+
+HRESULT
+WINAPI
+WebAuthNGetW3CExceptionDOMError(
+    _In_ HRESULT hr);
+
+
+#ifdef __cplusplus
+}       // Balance extern "C" above
+#endif
+
+#endif // WINAPI_FAMILY_PARTITION
+#pragma endregion
+
+#endif // __WEBAUTHN_H_
--- a/dom/webidl/WebAuthentication.webidl
+++ b/dom/webidl/WebAuthentication.webidl
@@ -141,17 +141,18 @@ dictionary PublicKeyCredentialDescriptor
     required PublicKeyCredentialType      type;
     required BufferSource                 id;
     sequence<AuthenticatorTransport>      transports;
 };
 
 enum AuthenticatorTransport {
     "usb",
     "nfc",
-    "ble"
+    "ble",
+    "internal"
 };
 
 typedef long COSEAlgorithmIdentifier;
 
 typedef sequence<AAGUID>      AuthenticatorSelectionList;
 
 typedef BufferSource      AAGUID;
 
--- a/layout/build/nsLayoutStatics.cpp
+++ b/layout/build/nsLayoutStatics.cpp
@@ -106,16 +106,19 @@
 #include "MediaDecoder.h"
 #include "mozilla/ClearSiteData.h"
 #include "mozilla/Fuzzyfox.h"
 #include "mozilla/ServoBindings.h"
 #include "mozilla/StaticPresData.h"
 #include "mozilla/dom/WebIDLGlobalNameHash.h"
 #include "mozilla/dom/ipc/IPCBlobInputStreamStorage.h"
 #include "mozilla/dom/U2FTokenManager.h"
+#ifdef OS_WIN
+#include "mozilla/dom/WinWebAuthnManager.h"
+#endif
 #include "mozilla/dom/PointerEventHandler.h"
 #include "mozilla/dom/RemoteWorkerService.h"
 #include "mozilla/dom/BlobURLProtocolHandler.h"
 #include "mozilla/dom/ReportingHeader.h"
 #include "mozilla/net/UrlClassifierFeatureFactory.h"
 #include "nsThreadManager.h"
 #include "mozilla/css/ImageLoader.h"
 
@@ -274,16 +277,20 @@ nsresult nsLayoutStatics::Initialize() {
     InitializeServo();
   }
 
   // This must be initialized on the main-thread.
   mozilla::dom::IPCBlobInputStreamStorage::Initialize();
 
   mozilla::dom::U2FTokenManager::Initialize();
 
+#ifdef OS_WIN
+  mozilla::dom::WinWebAuthnManager::Initialize();
+#endif
+
   if (XRE_IsParentProcess()) {
     // On content process we initialize these components when PContentChild is
     // fully initialized.
     mozilla::dom::DOMPrefs::Initialize();
     mozilla::dom::RemoteWorkerService::Initialize();
   }
 
   nsThreadManager::InitializeShutdownObserver();