Add permissions-policy check for publicKey credentials

index.bs

@@ -68,6 +68,9 @@ spec: FETCH; urlPrefix: https://fetch.spec.whatwg.org/
 spec: promises-guide-1; urlPrefix: https://www.w3.org/2001/tag/doc/promises-guide
   type: dfn
     text: promise-calling; url: should-promise-call
+spec: infra; urlPrefix: https://infra.spec.whatwg.org/
+  type: dfn
+    text: exists; url: map-exists
 </pre>
 
 <pre class="link-defaults">
@@ -831,6 +834,14 @@ spec:css-syntax-3;
     1.  Let |sameOriginWithAncestors| be `true` if |settings| is [=same-origin with its
         ancestors=], and `false` otherwise.
 
+    1.  If |options|[{{CredentialRequestOptions/publicKey}}] [=exists=] then
+        if |settings|' [=responsible document=] is **not** [=allowed to use=] the
+        <a data-lt="publickey-credentials-get-feature">publickey-credentials-get</a>
+        [=policy-controlled feature=] return [=a promise rejected with=] a "{{NotAllowedError}}" {{DOMException}}.
+
+        Note: <a const>`password`</a> and <a const>`federated`</a> [=credential types=] are not presently
+        treated as [=policy-controlled features=], although this may change in the future.
+
     1.  Run the following steps [=in parallel=]:
 
         1.  Let |credentials| be the result of <a abstract-op lt="collect local">collecting