The [[Create]] internal method for PublicKeyCredential has the following text:
1. If the [=relevant global object=], as determined by the calling
{{CredentialsContainer/create()}} implementation, does not have
[=transient activation=]:
1. Throw a "{{NotAllowedError}}" {{DOMException}}.
1. [=Consume user activation=] of the [=relevant global object=].
I think the strange "as determined by the calling {{CredentialsContainer/create()}} implementation" may be trying to work around this issue, but consuming user activation does not have that blurb and to me that looks like underspecified behaviour. This might need some changes in credman: either we make it so internal methods can be run from the main thread, or we put this spec from webauthn directly in credman like we did for permissions policy.
nsatragno
commented
4 months ago
The
[[Create]]internal method forPublicKeyCredentialhas the following text:However,
[[Create]]is called in parallel which means it cannot access the global object. This was pointed out for a different spec by @marcoscaceres.I think the strange "as determined by the calling {{CredentialsContainer/create()}} implementation" may be trying to work around this issue, but consuming user activation does not have that blurb and to me that looks like underspecified behaviour. This might need some changes in credman: either we make it so internal methods can be run from the main thread, or we put this spec from webauthn directly in credman like we did for permissions policy.