Currently the 'payment' extension is specified to allow credential creation in a cross-origin iframe:
1. Modify step 2 (the check for sameOriginWithAncestors) as follows:
- If sameOriginWithAncestors is false:
- If the [relevant global object](https://html.spec.whatwg.org/multipage/webappapis.html#concept-relevant-global), as determined by the calling [create()](https://w3c.github.io/webappsec-credential-management/#dom-credentialscontainer-create) implementation, does not have [transient activation](https://html.spec.whatwg.org/multipage/interaction.html#transient-activation):
- Return a [DOMException](https://webidl.spec.whatwg.org/#idl-DOMException) whose name is "[SecurityError](https://webidl.spec.whatwg.org/#securityerror)", and terminate this algorithm.
- [Consume user activation](https://html.spec.whatwg.org/multipage/interaction.html#consume-user-activation) of the [relevant global object](https://html.spec.whatwg.org/multipage/webappapis.html#concept-relevant-global).
2. If sameOriginWithAncestors is false:
- If the [relevant global object](https://html.spec.whatwg.org/multipage/webappapis.html#concept-relevant-global), as determined by the calling [create()](https://w3c.github.io/webappsec-credential-management/#dom-credentialscontainer-create) implementation, does not have [transient activation](https://html.spec.whatwg.org/multipage/interaction.html#transient-activation):
- Throw a "[NotAllowedError](https://webidl.spec.whatwg.org/#notallowederror)" [DOMException](https://webidl.spec.whatwg.org/#idl-DOMException).
- [Consume user activation](https://html.spec.whatwg.org/multipage/interaction.html#consume-user-activation) of the [relevant global object](https://html.spec.whatwg.org/multipage/webappapis.html#concept-relevant-global).
As such, we can now remove the text from SPC. However, there's a slight hitch. Spot the difference between the above two bits of spec text?
If there isn't a transient activation, SPC throws a SecurityError DOMException. But WebAuthn throws a NotAllowedError.
So, we have a small web compat issue here. We should confirm with known SPC implementors if they are handling a SecurityError specifically during credential creation, and if changing it to NotAllowedError would break them.
Currently the 'payment' extension is specified to allow credential creation in a cross-origin iframe:
Source
This uses the
payment
permission policy (source).However, as of https://github.com/w3c/webauthn/pull/1801, this behavior is now in the WebAuthn spec itself:
Source
As such, we can now remove the text from SPC. However, there's a slight hitch. Spot the difference between the above two bits of spec text?
If there isn't a transient activation, SPC throws a SecurityError DOMException. But WebAuthn throws a NotAllowedError.
So, we have a small web compat issue here. We should confirm with known SPC implementors if they are handling a SecurityError specifically during credential creation, and if changing it to NotAllowedError would break them.