Thanks for this attention to detail! A few minor points: On Tue, Feb 25, 2025 at 12:52 AM Stephen McGruer <smcgr...@chromium.org> wrote:
> Note: We've done outreach to the WPWG members ( > https://lists.w3.org/Archives/Public/public-payments-wg/2025Feb/0008.html), > and are following up with known partners directly. > > We don't have UseCounters here currently; I'm hoping to land some for > M135, but this is such a niche case (creation within an iframe is > rare/non-existent today in practice, and this further requires that you are > catching *and care about* the specific error type for missing user > activation) that I may request I2S without that data. > > On Monday, February 24, 2025 at 10:34:46 AM UTC-5 Stephen McGruer wrote: > >> Contact emailssmcgr...@chromium.org >> >> Explainerhttps://github.com/w3c/secure-payment-confirmation. A few >> more /issues/267 >> <https://github.com/w3c/secure-payment-confirmation/issues/267> >> >> SpecificationNone >> >> Summary >> >> Correct the error type thrown during WebAuthn credential creation for >> 'payment' credentials. Due to a historic specification mismatch, creating a >> 'payment' credential in a cross-origin iframe without a user activation >> would throw a SecurityError instead of a NotAllowedError, which is what is >> thrown for non-payment credentials. This is a breaking change, albeit a >> niche one. Code that previously detected the type of error thrown (e.g., `e >> instanceof SecurityError`) would be affected. Code that just generally >> handles errors during credential creation (e.g. `catch (e)`) will continue >> to function correctly. >> >> >> Blink componentBlink>Payments >> <https://issues.chromium.org/issues?q=customfield1222907:%22Blink%3EPayments%22> >> >> Motivation >> >> As part of Secure Payment Confirmation (SPC), WebAuthn credentials with >> the 'payment' extension could be created in a cross-origin iframe before >> this was allowed for other WebAuthn credentials. When the ability to do >> this for all WebAuthn credentials was added in >> https://github.com/w3c/webauthn/pull/1801, an accidental spec >> misalignment was made. In the very specific case of credential creation in >> a cross-origin iframe without user activation, the SPC spec said to throw a >> SecurityError, whilst the WebAuthn spec said to throw a NotAllowedError. >> This misalignment has now been corrected at the specification level ( >> https://github.com/w3c/secure-payment-confirmation/issues/267), and so >> left Chromium as non-compliant with the specification. >> >> >> Initial public proposal >> https://github.com/w3c/secure-payment-confirmation/issues/267 >> >> TAG reviewNone >> >> TAG review statusN/A - minor change to existing specification >> >> Risks >> Interoperability and Compatibility >> >> None >> >> *Gecko*: N/A - minor change to existing specification. Note that SPC is >> not implemented or supported by Gecko. >> >> *WebKit*: N/A - minor change to existing specification. Note that SPC is >> not implemented or supported by Gecko. >> >> *Web developers*: No signals >> >> WebView application risks >> >> Does this intent deprecate or change behavior of existing APIs, such that >> it has potentially high risk for Android WebView-based applications? >> >> None >> >> Debuggability >> >> None >> >> Is this feature fully tested by web-platform-tests >> <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md> >> ?Yes (but still testing the old behavior) - >> https://wpt.fyi/results/secure-payment-confirmation/enrollment-in-iframe.sub.https.html?label=experimental&label=master&aligned >> > Can you be sure to update these as part of shipping the new behavior? > >> >> Flag name on about://flags >> chrome://web-authentication-align-error-type-for-payment-credential-create >> >> Finch feature nameNone >> >> Non-finch justificationNone >> > Why no Finch flag? > >> >> Requires code in //chrome?False >> >> Estimated milestones >> >> No milestones specified >> > Please be sure to fill this out before shipping so that this change gets properly messaged on ChromeStatus's roadmap, the beta blogpost, etc. > >> Link to entry on the Chrome Platform Status >> https://chromestatus.com/feature/5160752715137024?gate=6260632086904832 >> >> This intent message was generated by Chrome Platform Status >> <https://chromestatus.com/>. >> > -- > You received this message because you are subscribed to the Google Groups > "blink-dev" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to blink-dev+unsubscr...@chromium.org. > To view this discussion visit > https://groups.google.com/a/chromium.org/d/msgid/blink-dev/39f5811d-a696-4fa0-8caa-720c18880799n%40chromium.org > <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/39f5811d-a696-4fa0-8caa-720c18880799n%40chromium.org?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAM0wra_extkVk5phByFj_F1FcDMjNUzybbYR7DZWPop%2Br%3Dw9Mg%40mail.gmail.com.
