Contact emailssmcgr...@chromium.org Explainerhttps://github.com/w3c/secure-payment-confirmation/issues/267
SpecificationNone Summary Correct the error type thrown during WebAuthn credential creation for 'payment' credentials. Due to a historic specification mismatch, creating a 'payment' credential in a cross-origin iframe without a user activation would throw a SecurityError instead of a NotAllowedError, which is what is thrown for non-payment credentials. This is a breaking change, albeit a niche one. Code that previously detected the type of error thrown (e.g., `e instanceof SecurityError`) would be affected. Code that just generally handles errors during credential creation (e.g. `catch (e)`) will continue to function correctly. Blink componentBlink>Payments <https://issues.chromium.org/issues?q=customfield1222907:%22Blink%3EPayments%22> Motivation As part of Secure Payment Confirmation (SPC), WebAuthn credentials with the 'payment' extension could be created in a cross-origin iframe before this was allowed for other WebAuthn credentials. When the ability to do this for all WebAuthn credentials was added in https://github.com/w3c/webauthn/pull/1801, an accidental spec misalignment was made. In the very specific case of credential creation in a cross-origin iframe without user activation, the SPC spec said to throw a SecurityError, whilst the WebAuthn spec said to throw a NotAllowedError. This misalignment has now been corrected at the specification level ( https://github.com/w3c/secure-payment-confirmation/issues/267), and so left Chromium as non-compliant with the specification. Initial public proposal https://github.com/w3c/secure-payment-confirmation/issues/267 TAG reviewNone TAG review statusN/A - minor change to existing specification Risks Interoperability and Compatibility None *Gecko*: N/A - minor change to existing specification. Note that SPC is not implemented or supported by Gecko. *WebKit*: N/A - minor change to existing specification. Note that SPC is not implemented or supported by Gecko. *Web developers*: No signals WebView application risks Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications? None Debuggability None Is this feature fully tested by web-platform-tests <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md> ?Yes (but still testing the old behavior) - https://wpt.fyi/results/secure-payment-confirmation/enrollment-in-iframe.sub.https.html?label=experimental&label=master&aligned Flag name on about://flags chrome://web-authentication-align-error-type-for-payment-credential-create Finch feature nameNone Non-finch justificationNone Requires code in //chrome?False Estimated milestones No milestones specified Link to entry on the Chrome Platform Status https://chromestatus.com/feature/5160752715137024?gate=6260632086904832 This intent message was generated by Chrome Platform Status <https://chromestatus.com/>. -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CADY3MacJobTDt6ta6N46GEm2nsR%3DA1yHaQm%3DfaRmMWV0ZS5sCg%40mail.gmail.com.
