From c68fd027e4e064b02f467b1b2dd0be472b73562f Mon Sep 17 00:00:00 2001
From: JeffH <jdhodges@google.com>
Date: Mon, 6 Dec 2021 15:43:07 -0800
Subject: [PATCH 1/3] Add permissions-policy check for publicKey credentials

If the `CredentialRequestOptions` supplied to the Request a Credential algorithm contains a object named `publicKey` then check that the responsible document is allowed to use the publickey-credentials-get policy-controlled feature.
---
 index.bs | 21 ++++++++++++++++++---
 1 file changed, 18 insertions(+), 3 deletions(-)

diff --git a/index.bs b/index.bs
index d006539..0d8da9c 100644
--- a/index.bs
+++ b/index.bs
@@ -8,7 +8,7 @@ Shortname: credential-management
 Level: 1
 Editor: Jeff Hodges, w3cid 43843, Google Inc., jdhodges@google.com
 Editor: Nina Satragno, w3cid 116344, Google Inc., nsatragno@google.com
-Former Editor: Mike West 56384, Google Inc., mkwst@google.com
+Former Editor: Mike West 56384, Google Inc., mkwst@google.co
 Group: webappsec
 Abstract:
   This specification describes an imperative API enabling a website to request a
@@ -783,7 +783,22 @@ spec:css-syntax-3;
     6.  Let |sameOriginWithAncestors| be `true` if |settings| is [=same-origin with its
         ancestors=], and `false` otherwise.
 
-    7.  Run the following steps [=in parallel=]:
+    7.  Let |key| be the result of [=map/getting the key=] of |options|.
+
+    8.  If |key| is {{CredentialRequestOptions/publicKey}} then
+        if |settings|' [=responsible document=] is **not** [=allowed to use=] the
+        <a data-lt="publickey-credentials-get-feature">publickey-credentials-get</a>
+        [=policy-controlled feature=] [[PERMISSIONS-POLICY]] return [=a promise rejected with=] `NotSupportedError`.
+
+        <!-- the below does not link directly to the "password" or "federated" `[[type]]` slot's values'
+        `<dfn>`s because Bikeshed does not (yet) yield future-proof id's for such "tokens" (according to
+        Tab Atkins) and thus using a brute-force `<a href="#dom-credential-type-password">password</a>`
+        link here will break at some point in the future when Bikeshed does handle this properly. -->
+        Note: <code>[[#passwords|password]]</code> and
+        <code>[[#federated|federated]]</code> [=credential types=] are not presently
+        treated as [=policy-controlled features=], although this may change in the future.
+
+    9.  Run the following steps [=in parallel=]:
 
         1.  Let |credentials| be the result of <a abstract-op lt="collect local">collecting
             `Credential`s from the credential store</a>, given |origin|, |options|, and
@@ -827,7 +842,7 @@ spec:css-syntax-3;
 
             Otherwise, [=reject=] |p| with |result|.
 
-    7.  Return |p|.
+    10.  Return |p|.
   </ol>
 
   <h4 id="algorithm-collect-known" algorithm>Collect `Credential`s from the credential store</h4>

From 541e317db61651a2d6db5c8d5aa044daca57da41 Mon Sep 17 00:00:00 2001
From: JeffH <jdhodges@google.com>
Date: Tue, 21 Dec 2021 12:15:26 -0800
Subject: [PATCH 2/3] incorp nsatragno & jyasskin feedback, thx!

---
 index.bs | 24 ++++++++++--------------
 1 file changed, 10 insertions(+), 14 deletions(-)

diff --git a/index.bs b/index.bs
index 0d8da9c..e06a811 100644
--- a/index.bs
+++ b/index.bs
@@ -8,7 +8,7 @@ Shortname: credential-management
 Level: 1
 Editor: Jeff Hodges, w3cid 43843, Google Inc., jdhodges@google.com
 Editor: Nina Satragno, w3cid 116344, Google Inc., nsatragno@google.com
-Former Editor: Mike West 56384, Google Inc., mkwst@google.co
+Former Editor: Mike West 56384, Google Inc., mkwst@google.com
 Group: webappsec
 Abstract:
   This specification describes an imperative API enabling a website to request a
@@ -68,6 +68,9 @@ spec: FETCH; urlPrefix: https://fetch.spec.whatwg.org/
 spec: promises-guide-1; urlPrefix: https://www.w3.org/2001/tag/doc/promises-guide
   type: dfn
     text: promise-calling; url: should-promise-call
+spec: infra; urlPrefix: https://infra.spec.whatwg.org/
+  type: dfn
+    text: exists; url: map-exists
 </pre>
 
 <pre class="link-defaults">
@@ -783,22 +786,15 @@ spec:css-syntax-3;
     6.  Let |sameOriginWithAncestors| be `true` if |settings| is [=same-origin with its
         ancestors=], and `false` otherwise.
 
-    7.  Let |key| be the result of [=map/getting the key=] of |options|.
-
-    8.  If |key| is {{CredentialRequestOptions/publicKey}} then
+    7.  If |options|[{{CredentialRequestOptions/publicKey}}] [=exists=] then
         if |settings|' [=responsible document=] is **not** [=allowed to use=] the
         <a data-lt="publickey-credentials-get-feature">publickey-credentials-get</a>
-        [=policy-controlled feature=] [[PERMISSIONS-POLICY]] return [=a promise rejected with=] `NotSupportedError`.
-
-        <!-- the below does not link directly to the "password" or "federated" `[[type]]` slot's values'
-        `<dfn>`s because Bikeshed does not (yet) yield future-proof id's for such "tokens" (according to
-        Tab Atkins) and thus using a brute-force `<a href="#dom-credential-type-password">password</a>`
-        link here will break at some point in the future when Bikeshed does handle this properly. -->
-        Note: <code>[[#passwords|password]]</code> and
-        <code>[[#federated|federated]]</code> [=credential types=] are not presently
+        [=policy-controlled feature=] return [=a promise rejected with=] a "{{NotAllowedError}}" {{DOMException}}.
+
+        Note: '<a const>password</a>' and '<a const>federated</a>' [=credential types=] are not presently
         treated as [=policy-controlled features=], although this may change in the future.
 
-    9.  Run the following steps [=in parallel=]:
+    8.  Run the following steps [=in parallel=]:
 
         1.  Let |credentials| be the result of <a abstract-op lt="collect local">collecting
             `Credential`s from the credential store</a>, given |origin|, |options|, and
@@ -842,7 +838,7 @@ spec:css-syntax-3;
 
             Otherwise, [=reject=] |p| with |result|.
 
-    10.  Return |p|.
+    9.  Return |p|.
   </ol>
 
   <h4 id="algorithm-collect-known" algorithm>Collect `Credential`s from the credential store</h4>

From e915c782e2d5c511dd64b1e74984fbf8e9b14220 Mon Sep 17 00:00:00 2001
From: =JeffH <jdhodges@google.com>
Date: Thu, 6 Jan 2022 13:42:04 -0800
Subject: [PATCH 3/3] Apply jyasskin's suggestions, thx!

Co-authored-by: Jeffrey Yasskin <jyasskin@chromium.org>
---
 index.bs | 7 ++-----
 1 file changed, 2 insertions(+), 5 deletions(-)

diff --git a/index.bs b/index.bs
index 27e26aa..3368167 100644
--- a/index.bs
+++ b/index.bs
@@ -68,9 +68,6 @@ spec: FETCH; urlPrefix: https://fetch.spec.whatwg.org/
 spec: promises-guide-1; urlPrefix: https://www.w3.org/2001/tag/doc/promises-guide
   type: dfn
     text: promise-calling; url: should-promise-call
-spec: infra; urlPrefix: https://infra.spec.whatwg.org/
-  type: dfn
-    text: exists; url: map-exists
 </pre>
 
 <pre class="link-defaults">
@@ -834,9 +831,9 @@ spec:css-syntax-3;
     1.  Let |sameOriginWithAncestors| be `true` if |settings| is [=same-origin with its
         ancestors=], and `false` otherwise.
 
-    1.  If |options|[{{CredentialRequestOptions/publicKey}}] [=exists=] then
+    1.  If |options|[{{CredentialRequestOptions/publicKey}}] [=map/exists=] then
         if |settings|' [=responsible document=] is **not** [=allowed to use=] the
-        <a data-lt="publickey-credentials-get-feature">publickey-credentials-get</a>
+        [=publickey-credentials-get-feature|publickey-credentials-get=]
         [=policy-controlled feature=] return [=a promise rejected with=] a "{{NotAllowedError}}" {{DOMException}}.
 
         Note: <a const>`password`</a> and <a const>`federated`</a> [=credential types=] are not presently