Thanks Domenic, > Can you be sure to update these as part of shipping the new behavior?
Absolutely, sorry if that wasn't clear that we will be doing this. :) > Why no Finch flag? Because Chromestatus didn't ask me for one before reaching the I2P stage, and I missed this field when manually editing the email 😅. Naively, there will be a default Finch flag here from the base::Feature generated from the RuntimeEnabledFeature, and that Finch flag will act as a killswitch as needed. Is something more expected? (Do web platform launches use Finch rollouts nowadays? Been a while since I've been in the WP space!) > Please be sure to fill this out before shipping so that this change gets properly messaged on ChromeStatus's roadmap, the beta blogpost, etc. Absolutely will do; this will be filled out before sending the I2S. On Tue, 25 Feb 2025 at 00:26, Domenic Denicola <dome...@chromium.org> wrote: > Thanks for this attention to detail! A few minor points: > > On Tue, Feb 25, 2025 at 12:52 AM Stephen McGruer <smcgr...@chromium.org> > wrote: > >> Note: We've done outreach to the WPWG members ( >> https://lists.w3.org/Archives/Public/public-payments-wg/2025Feb/0008.html), >> and are following up with known partners directly. >> >> We don't have UseCounters here currently; I'm hoping to land some for >> M135, but this is such a niche case (creation within an iframe is >> rare/non-existent today in practice, and this further requires that you are >> catching *and care about* the specific error type for missing user >> activation) that I may request I2S without that data. >> >> On Monday, February 24, 2025 at 10:34:46 AM UTC-5 Stephen McGruer wrote: >> >>> Contact emailssmcgr...@chromium.org >>> >>> Explainerhttps://github.com/w3c/secure-payment-confirmation. A few >>> more /issues/267 >>> <https://github.com/w3c/secure-payment-confirmation/issues/267> >>> >>> SpecificationNone >>> >>> Summary >>> >>> Correct the error type thrown during WebAuthn credential creation for >>> 'payment' credentials. Due to a historic specification mismatch, creating a >>> 'payment' credential in a cross-origin iframe without a user activation >>> would throw a SecurityError instead of a NotAllowedError, which is what is >>> thrown for non-payment credentials. This is a breaking change, albeit a >>> niche one. Code that previously detected the type of error thrown (e.g., `e >>> instanceof SecurityError`) would be affected. Code that just generally >>> handles errors during credential creation (e.g. `catch (e)`) will continue >>> to function correctly. >>> >>> >>> Blink componentBlink>Payments >>> <https://issues.chromium.org/issues?q=customfield1222907:%22Blink%3EPayments%22> >>> >>> Motivation >>> >>> As part of Secure Payment Confirmation (SPC), WebAuthn credentials with >>> the 'payment' extension could be created in a cross-origin iframe before >>> this was allowed for other WebAuthn credentials. When the ability to do >>> this for all WebAuthn credentials was added in >>> https://github.com/w3c/webauthn/pull/1801, an accidental spec >>> misalignment was made. In the very specific case of credential creation in >>> a cross-origin iframe without user activation, the SPC spec said to throw a >>> SecurityError, whilst the WebAuthn spec said to throw a NotAllowedError. >>> This misalignment has now been corrected at the specification level ( >>> https://github.com/w3c/secure-payment-confirmation/issues/267), and so >>> left Chromium as non-compliant with the specification. >>> >>> >>> Initial public proposal >>> https://github.com/w3c/secure-payment-confirmation/issues/267 >>> >>> TAG reviewNone >>> >>> TAG review statusN/A - minor change to existing specification >>> >>> Risks >>> Interoperability and Compatibility >>> >>> None >>> >>> *Gecko*: N/A - minor change to existing specification. Note that SPC is >>> not implemented or supported by Gecko. >>> >>> *WebKit*: N/A - minor change to existing specification. Note that SPC >>> is not implemented or supported by Gecko. >>> >>> *Web developers*: No signals >>> >>> WebView application risks >>> >>> Does this intent deprecate or change behavior of existing APIs, such >>> that it has potentially high risk for Android WebView-based applications? >>> >>> None >>> >>> Debuggability >>> >>> None >>> >>> Is this feature fully tested by web-platform-tests >>> <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md> >>> ?Yes (but still testing the old behavior) - >>> https://wpt.fyi/results/secure-payment-confirmation/enrollment-in-iframe.sub.https.html?label=experimental&label=master&aligned >>> >> > Can you be sure to update these as part of shipping the new behavior? > > >> >>> >>> Flag name on about://flags >>> chrome://web-authentication-align-error-type-for-payment-credential-create >>> >>> Finch feature nameNone >>> >>> Non-finch justificationNone >>> >> > Why no Finch flag? > > >> >>> >>> Requires code in //chrome?False >>> >>> Estimated milestones >>> >>> No milestones specified >>> >> > Please be sure to fill this out before shipping so that this change gets > properly messaged on ChromeStatus's roadmap, the beta blogpost, etc. > > >> >>> Link to entry on the Chrome Platform Status >>> https://chromestatus.com/feature/5160752715137024?gate=6260632086904832 >>> >>> This intent message was generated by Chrome Platform Status >>> <https://chromestatus.com/>. >>> >> -- >> You received this message because you are subscribed to the Google Groups >> "blink-dev" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to blink-dev+unsubscr...@chromium.org. >> To view this discussion visit >> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/39f5811d-a696-4fa0-8caa-720c18880799n%40chromium.org >> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/39f5811d-a696-4fa0-8caa-720c18880799n%40chromium.org?utm_medium=email&utm_source=footer> >> . >> > -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CADY3Mae6vAS%3DVOhd7K6w7QrivQsiu0fNSnH%3DSDwxEEmtPenr3g%40mail.gmail.com.
