Intent to Prototype: Align error type thrown for 'payment' WebAuthn credential creation: SecurityError => NotAllowedError

Stephen Mcgruer

unread,

Feb 24, 2025, 10:34:46 AMFeb 24

to blink-dev

Contact emails

smcg...@chromium.org

Explainer

https://github.com/w3c/secure-payment-confirmation/issues/267

Specification

None

Summary

Correct the error type thrown during WebAuthn credential creation for 'payment' credentials. Due to a historic specification mismatch, creating a 'payment' credential in a cross-origin iframe without a user activation would throw a SecurityError instead of a NotAllowedError, which is what is thrown for non-payment credentials. This is a breaking change, albeit a niche one. Code that previously detected the type of error thrown (e.g., `e instanceof SecurityError`) would be affected. Code that just generally handles errors during credential creation (e.g. `catch (e)`) will continue to function correctly.

Blink component

Blink>Payments

Motivation

As part of Secure Payment Confirmation (SPC), WebAuthn credentials with the 'payment' extension could be created in a cross-origin iframe before this was allowed for other WebAuthn credentials. When the ability to do this for all WebAuthn credentials was added in https://github.com/w3c/webauthn/pull/1801, an accidental spec misalignment was made. In the very specific case of credential creation in a cross-origin iframe without user activation, the SPC spec said to throw a SecurityError, whilst the WebAuthn spec said to throw a NotAllowedError. This misalignment has now been corrected at the specification level (https://github.com/w3c/secure-payment-confirmation/issues/267), and so left Chromium as non-compliant with the specification.

Initial public proposal

https://github.com/w3c/secure-payment-confirmation/issues/267

TAG review

None

TAG review status

N/A - minor change to existing specification

Risks

Interoperability and Compatibility

None

Gecko: N/A - minor change to existing specification. Note that SPC is not implemented or supported by Gecko.

WebKit: N/A - minor change to existing specification. Note that SPC is not implemented or supported by Gecko.

Web developers: No signals

WebView application risks

Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications?

None

Debuggability

None

Is this feature fully tested by web-platform-tests?

Yes (but still testing the old behavior) - https://wpt.fyi/results/secure-payment-confirmation/enrollment-in-iframe.sub.https.html?label=experimental&label=master&aligned

Flag name on about://flags

chrome://web-authentication-align-error-type-for-payment-credential-create

Finch feature name

None

Non-finch justification

None

Requires code in //chrome?

False

Estimated milestones

No milestones specified

Link to entry on the Chrome Platform Status

https://chromestatus.com/feature/5160752715137024?gate=6260632086904832

This intent message was generated by Chrome Platform Status.

Stephen McGruer

unread,

Feb 24, 2025, 10:52:44 AMFeb 24

to blink-dev, Stephen McGruer

Note: We've done outreach to the WPWG members (https://lists.w3.org/Archives/Public/public-payments-wg/2025Feb/0008.html), and are following up with known partners directly.

We don't have UseCounters here currently; I'm hoping to land some for M135, but this is such a niche case (creation within an iframe is rare/non-existent today in practice, and this further requires that you are catching and care about the specific error type for missing user activation) that I may request I2S without that data.

Domenic Denicola

unread,

Feb 25, 2025, 12:26:48 AMFeb 25

to Stephen McGruer, blink-dev

Thanks for this attention to detail! A few minor points:

On Tue, Feb 25, 2025 at 12:52 AM Stephen McGruer <smcg...@chromium.org> wrote:

Note: We've done outreach to the WPWG members (https://lists.w3.org/Archives/Public/public-payments-wg/2025Feb/0008.html), and are following up with known partners directly.

We don't have UseCounters here currently; I'm hoping to land some for M135, but this is such a niche case (creation within an iframe is rare/non-existent today in practice, and this further requires that you are catching and care about the specific error type for missing user activation) that I may request I2S without that data.

On Monday, February 24, 2025 at 10:34:46 AM UTC-5 Stephen McGruer wrote:

Contact emails
smcg...@chromium.org

Explainer
https://github.com/w3c/secure-payment-confirmation. A few more /issues/267

Can you be sure to update these as part of shipping the new behavior?

Flag name on about://flags
chrome://web-authentication-align-error-type-for-payment-credential-create

Finch feature name
None

Non-finch justification
None

Why no Finch flag?

Requires code in //chrome?
False

Estimated milestones
No milestones specified

Please be sure to fill this out before shipping so that this change gets properly messaged on ChromeStatus's roadmap, the beta blogpost, etc.

Link to entry on the Chrome Platform Status
https://chromestatus.com/feature/5160752715137024?gate=6260632086904832

This intent message was generated by Chrome Platform Status.

--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/39f5811d-a696-4fa0-8caa-720c18880799n%40chromium.org.

Stephen Mcgruer

unread,

Feb 25, 2025, 9:17:20 AMFeb 25

to Domenic Denicola, blink-dev

Thanks Domenic,

> Can you be sure to update these as part of shipping the new behavior?

Absolutely, sorry if that wasn't clear that we will be doing this. :)

> Why no Finch flag?

Because Chromestatus didn't ask me for one before reaching the I2P stage, and I missed this field when manually editing the email 😅. Naively, there will be a default Finch flag here from the base::Feature generated from the RuntimeEnabledFeature, and that Finch flag will act as a killswitch as needed. Is something more expected? (Do web platform launches use Finch rollouts nowadays? Been a while since I've been in the WP space!)

> Please be sure to fill this out before shipping so that this change gets properly messaged on ChromeStatus's roadmap, the beta blogpost, etc.

Absolutely will do; this will be filled out before sending the I2S.

Domenic Denicola

unread,

Feb 25, 2025, 8:21:43 PMFeb 25

to Stephen Mcgruer, Domenic Denicola, blink-dev

Ah, this was such a well-written Intent to Prototype that I thought it was an Intent to Ship, and asked for more details than would be usual at that stage!

On Tue, Feb 25, 2025 at 11:17 PM Stephen Mcgruer <smcg...@chromium.org> wrote:

Thanks Domenic,

> Can you be sure to update these as part of shipping the new behavior?

Absolutely, sorry if that wasn't clear that we will be doing this. :)

> Why no Finch flag?

Because Chromestatus didn't ask me for one before reaching the I2P stage, and I missed this field when manually editing the email 😅. Naively, there will be a default Finch flag here from the base::Feature generated from the RuntimeEnabledFeature, and that Finch flag will act as a killswitch as needed. Is something more expected? (Do web platform launches use Finch rollouts nowadays? Been a while since I've been in the WP space!)

The default Finch flag will be perfect :). It's not for rollouts; it's for an emergency kill switch.

Reply all

Reply to author

Forward