Intent to Ship: Align error type thrown for 'payment' WebAuthn credential creation: SecurityError => NotAllowedError

99 views
Skip to first unread message

Stephen Mcgruer

unread,
Apr 15, 2025, 11:47:14 AMApr 15
to blink-dev

Contact emails

smcg...@chromium.org

Explainer

https://github.com/w3c/secure-payment-confirmation/issues/267

Specification

https://github.com/w3c/secure-payment-confirmation/pull/281

Summary

Correct the error type thrown during WebAuthn credential creation for 'payment' credentials. Due to a historic specification mismatch, creating a 'payment' credential in a cross-origin iframe without a user activation would throw a SecurityError instead of a NotAllowedError, which is what is thrown for non-payment credentials. This is a breaking change, albeit a niche one. Code that previously detected the type of error thrown (e.g., `e instanceof SecurityError`) would be affected. Code that just generally handles errors during credential creation (e.g. `catch (e)`) will continue to function correctly.


Blink component

Blink>Payments

TAG review

N/A - this is a compat bugfix to the SPC spec and does not require its own review.

TAG review status

N/A

Risks


Interoperability and Compatibility

There is a *very* minor risk of web compat breakage here. If code is very specifically handling the error type thrown for the very specific outcome of no user activation on creating a creation in a cross-origin iframe with the payment extension, they may stop handling that correctly. That is, if one was doing a specific `e instanceof SecurityError`, it will no longer catch the above case. Given that code should still be handling the overall fact that *some* error was thrown, and that creating credentials in cross-origin iframes is incredibly rare today - nevermind specifically with the 'payment' extension and not having a user activation - the risk seems low enough for this to be safe. https://chromestatus.com/metrics/feature/timeline/popularity/4758 measures creating credentials in a cross-origin iframe. Currently at 0.000005% of page loads.


Gecko: N/A Firefox does not ship SPC (https://github.com/mozilla/standards-positions/issues/570) and thus does not support the "payment" extension, so never had this compat issue.

WebKit: N/A Safari does not ship SPC (https://github.com/WebKit/standards-positions/issues/30) and thus does not support the "payment" extension, so never had this compat issue.

Web developers: Payment industry partners that are experimenting with SPC have been informed, and none have raised any concerns.

Other signals:

WebView application risks

Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications?

None


Debuggability

N/A - standard devtools tools suffice.


Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, ChromeOS, Android, and Android WebView)?

No - SPC/the payment extension is not shipped on Android WebView.

Is this feature fully tested by web-platform-tests?

Yes

https://wpt.fyi/results/secure-payment-confirmation/enrollment-in-iframe.sub.https.html?label=experimental&label=master&aligned Test: "SPC enrollment in cross-origin iframe fails without user activation"


Flag name on about://flags

None

Finch feature name

WebAuthenticationAlignErrorTypeForPaymentCredentialCreate

Non-finch justification

Note: Not planning a Finch rollout, but have a base::Feature flag for emergency kill-switch via Finch if needed.


Rollout plan

Will ship enabled for all users

Requires code in //chrome?

False

Tracking bug

https://issues.chromium.org/u/1/issues/41484826

Estimated milestones

Shipping on desktop137
DevTrial on desktop135
Shipping on Android137
DevTrial on Android135

Anticipated spec changes

Open questions about a feature may be a source of future web compat or interop issues. Please list open issues (e.g. links to known github issues in the project for the feature specification) whose resolution may introduce web compat/interop risk (e.g., changing to naming or structure of the API in a non-backward-compatible way).

None

Link to entry on the Chrome Platform Status

https://chromestatus.com/feature/5160752715137024?gate=5120826699153408

Links to previous Intent discussions

Intent to Prototype: https://groups.google.com/u/1/a/chromium.org/g/blink-dev/c/X0c08UCiUGc


This intent message was generated by Chrome Platform Status.

Domenic Denicola

unread,
Apr 15, 2025, 9:26:02 PMApr 15
to Stephen Mcgruer, blink-dev
LGTM1

--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CADY3MaeGOOp6eZ9Dm%3DiUm-_XCiTh0URDfRStOh9TgeuX_Yy4SA%40mail.gmail.com.

Vladimir Levin

unread,
Apr 15, 2025, 10:35:51 PMApr 15
to blink-dev, Domenic Denicola, blink-dev, Stephen McGruer
LGTM2

To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscribe@chromium.org.

Chris Harrelson

unread,
Apr 16, 2025, 11:06:50 AMApr 16
to Vladimir Levin, blink-dev, Domenic Denicola, Stephen McGruer
LGTM3

LGTM2

To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.

To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CADY3MaeGOOp6eZ9Dm%3DiUm-_XCiTh0URDfRStOh9TgeuX_Yy4SA%40mail.gmail.com.

--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/f7219085-7242-4387-a50f-e096ebd5392en%40chromium.org.
Reply all
Reply to author
Forward
0 new messages