core/webauthn: Reply with ERR_CHANNEL_BUSY once a U2F request has been declined to stop Chrome from polling.

core/src/apps/webauthn/fido2.py

@@ -1140,11 +1140,18 @@ def msg_register(req: Msg, dialog_mgr: DialogManager) -> Cmd:
     dialog_mgr.reset_timeout()
 
     # wait for a button or continue
-    if dialog_mgr.result != _RESULT_CONFIRM:
+    if dialog_mgr.result == _RESULT_NONE:
         if __debug__:
             log.info(__name__, "waiting for button")
         return msg_error(req.cid, _SW_CONDITIONS_NOT_SATISFIED)
 
+    if dialog_mgr.result != _RESULT_CONFIRM:
+        if __debug__:
+            log.info(__name__, "request declined")
+        # There is no standard way to decline a U2F request, but responding with ERR_CHANNEL_BUSY
+        # doesn't seem to violate the protocol and at least stops Chrome from polling.
+        return cmd_error(req.cid, _ERR_CHANNEL_BUSY)
+
     # sign the registration challenge and return
     if __debug__:
         log.info(__name__, "signing register")
@@ -1229,11 +1236,18 @@ def msg_authenticate(req: Msg, dialog_mgr: DialogManager) -> Cmd:
     dialog_mgr.reset_timeout()
 
     # wait for a button or continue
-    if dialog_mgr.result != _RESULT_CONFIRM:
+    if dialog_mgr.result == _RESULT_NONE:
         if __debug__:
             log.info(__name__, "waiting for button")
         return msg_error(req.cid, _SW_CONDITIONS_NOT_SATISFIED)
 
+    if dialog_mgr.result != _RESULT_CONFIRM:
+        if __debug__:
+            log.info(__name__, "request declined")
+        # There is no standard way to decline a U2F request, but responding with ERR_CHANNEL_BUSY
+        # doesn't seem to violate the protocol and at least stops Chrome from polling.
+        return cmd_error(req.cid, _ERR_CHANNEL_BUSY)
+
     # sign the authentication challenge and return
     if __debug__:
         log.info(__name__, "signing authentication")