- From: Stephen McGruer <smcgruer@google.com>
- Date: Mon, 24 Feb 2025 10:49:39 -0500
- To: Web Payments Working Group <public-payments-wg@w3.org>
- Message-ID: <CADY3Mac7H=+ozqpjvErrbA1uGBn0Df74ORbMDh3UdjtfOc3WGA@mail.gmail.com>
*If you don't have/own code that creates 'payment' WebAuthn credentials in
a cross-origin iframe, you can stop reading now.*
Hey folks,
Just a heads up that Chromium is looking at
<https://groups.google.com/u/1/a/chromium.org/g/blink-dev/c/X0c08UCiUGc>
making a technically-breaking change in a very niche space: the error type
thrown by navigator.credentials.create() if it is called in a cross-origin
iframe without a user activation (e.g., click), with the 'payment'
extension specified.
This is being done to align with WebAuthn (see
https://github.com/w3c/secure-payment-confirmation/issues/267). We do not
expect this to break anyone, unless you had code that very specifically
attempts to handle the error type thrown by navigator.credentials.create():
try {
const publicKey = {
// A PublicKeyCredentialCreationOptions dict, with...
extensions: {
payment: {
isPayment: true;
}
}
};
const credential = await navigator.credentials.create({publicKey});
} catch (e) {
if (e.name === "SecurityError") {
// Do something very specific
} else {
// Do something else
}
}
If you do have such code, please update it to handle both NotAllowedError
and SecurityError, and get in touch with us to let us know that you would
be affected.
*We intend to target the change to M136*, which would be in Beta around Apr
2, 2025 and ship to Stable around Apr 29, 2025.
Thanks,
Stephen
--
smcgruer • he / him
Received on Monday, 24 February 2025 15:49:55 UTC