From 58412d41a6ab5a0ae35b9b7deb41d528bea9f5ac Mon Sep 17 00:00:00 2001 From: Hamish Willee Date: Tue, 6 Feb 2024 15:18:46 +1100 Subject: [PATCH 01/13] FF123 updates for permission publickey-credentials-create --- .../api/credentialscontainer/create/index.md | 2 +- .../web/api/credentialscontainer/get/index.md | 2 +- .../web/api/web_authentication_api/index.md | 20 +++++++++++++++---- .../publickey-credentials-create/index.md | 3 ++- .../publickey-credentials-get/index.md | 3 ++- 5 files changed, 22 insertions(+), 8 deletions(-) diff --git a/files/en-us/web/api/credentialscontainer/create/index.md b/files/en-us/web/api/credentialscontainer/create/index.md index 547988576fec7f0..94ee9616a7e27d6 100644 --- a/files/en-us/web/api/credentialscontainer/create/index.md +++ b/files/en-us/web/api/credentialscontainer/create/index.md @@ -313,7 +313,7 @@ A {{jsxref("Promise")}} that resolves with an {{domxref("PublicKeyCredential")}} ### Exceptions -- `SecurityError` {{domxref("DOMException")}} +- `NotAllowedError` {{domxref("DOMException")}} - : Usage was blocked by a {{HTTPHeader("Permissions-Policy/publickey-credentials-create","publickey-credentials-create")}} [Permissions Policy](/en-US/docs/Web/HTTP/Permissions_Policy). ## Examples diff --git a/files/en-us/web/api/credentialscontainer/get/index.md b/files/en-us/web/api/credentialscontainer/get/index.md index 0670a5b1cbe3170..b92449a510e60ef 100644 --- a/files/en-us/web/api/credentialscontainer/get/index.md +++ b/files/en-us/web/api/credentialscontainer/get/index.md @@ -336,7 +336,7 @@ A {{jsxref("Promise")}} that resolves with an {{domxref("PublicKeyCredential")}} ### Exceptions -- `SecurityError` {{domxref("DOMException")}} +- `NotAllowedError` {{domxref("DOMException")}} - : Usage was blocked by a {{HTTPHeader("Permissions-Policy/publickey-credentials-get","publickey-credentials-get")}} [Permissions Policy](/en-US/docs/Web/HTTP/Permissions_Policy). ### Examples diff --git a/files/en-us/web/api/web_authentication_api/index.md b/files/en-us/web/api/web_authentication_api/index.md index f8af14503ec12ea..c7d9de2075c1ce6 100644 --- a/files/en-us/web/api/web_authentication_api/index.md +++ b/files/en-us/web/api/web_authentication_api/index.md @@ -121,9 +121,9 @@ The availability of WebAuthn can be controlled using a [Permissions Policy](/en- - {{httpheader("Permissions-Policy/publickey-credentials-create", "publickey-credentials-create")}}: Controls the availability of {{domxref("CredentialsContainer.create", "navigator.credentials.create()")}} with the `publicKey` option. - {{httpheader("Permissions-Policy/publickey-credentials-get", "publickey-credentials-get")}}: Controls the availability of {{domxref("CredentialsContainer.get", "navigator.credentials.get()")}} with the `publicKey` option. -Both directives have a default allowlist value of `"self"`, meaning that by default these methods can be used in top-level document contexts. In addition, `get()` can be used in nested browsing contexts loaded from the same origin as the top-most document; `create()` on the other hand cannot be used in {{htmlelement("iframe")}}s. +Both directives have a default allowlist value of `"self"`, meaning that by default these methods can be used in top-level document contexts. In addition, `get()` can be used in nested browsing contexts loaded from the same origin as the top-most document. `create()` can be used in nested browsing contexts loaded from the different origins to the top-most document (i.e. in cross-origin ``). -> **Note:** Where a policy forbids use of these methods, the {{jsxref("Promise", "promises")}} returned by them will reject with a `SecurityError` {{domxref("DOMException")}}. +> **Note:** Where a policy forbids use of these methods, the {{jsxref("Promise", "promises")}} returned by them will reject with a `NotAllowedError` {{domxref("DOMException")}}. ### Basic access control @@ -136,26 +136,38 @@ Permissions-Policy: publickey-credentials-create=("https://subdomain.example.com ### Allowing embedded `get()` calls in an ` + ``` + + If using `set()`: + ```html ``` 2. The relying party site must provide permission for the above access via a `Permissions-Policy` header: ```http Permissions-Policy: publickey-credentials-get=* + Permissions-Policy: publickey-credentials-set=* ``` Or to allow only a specific URL to embed the relying party site in an ` ``` -2. The relying party site must provide permission for the above access via a `Permissions-Policy` header: +2. The ` ``` - If using `set()`: + If using `create()`: ```html - ``` + ```html + + ``` - If using `create()`: + - If using `create()`: - ```html - - ``` + ```html + + ``` -2. The ` ``` From c5ddfc945f5dd699e2419ef44733adc57354c2b0 Mon Sep 17 00:00:00 2001 From: Hamish Willee Date: Fri, 16 Feb 2024 09:08:28 +1100 Subject: [PATCH 13/13] Apply suggestions from code review Co-authored-by: wbamberg --- files/en-us/web/api/web_authentication_api/index.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/files/en-us/web/api/web_authentication_api/index.md b/files/en-us/web/api/web_authentication_api/index.md index 9ab260ee379efb8..2fd7a12b4dfa9c5 100644 --- a/files/en-us/web/api/web_authentication_api/index.md +++ b/files/en-us/web/api/web_authentication_api/index.md @@ -123,10 +123,10 @@ The availability of WebAuthn can be controlled using a [Permissions Policy](/en- Both directives have a default allowlist value of `"self"`, meaning that by default these methods can be used in top-level document contexts. In addition, `get()` can be used in nested browsing contexts loaded from the same origin as the top-most document. -`get()` and `create()` can be used in nested browsing contexts loaded from the different origins to the top-most document (i.e. in cross-origin ``), if allowed by the `Permission-Policy`s [`publickey-credentials-get`](/en-US/docs/Web/HTTP/Headers/Permissions-Policy/publickey-credentials-get) and [`publickey-credentials-create`](/en-US/docs/Web/HTTP/Headers/Permissions-Policy/publickey-credentials-create), respectively. +`get()` and `create()` can be used in nested browsing contexts loaded from the different origins to the top-most document (i.e. in cross-origin ``), if allowed by the [`publickey-credentials-get`](/en-US/docs/Web/HTTP/Headers/Permissions-Policy/publickey-credentials-get) and [`publickey-credentials-create`](/en-US/docs/Web/HTTP/Headers/Permissions-Policy/publickey-credentials-create) `Permission-Policy` directives, respectively. For cross-origin `create()` calls, where the permission was granted by [`allow=` on an iframe](/en-US/docs/Web/HTTP/Headers/Permissions-Policy#iframes), the frame must also have {{glossary("Transient activation")}}. -> **Note:** Where a policy forbids use of these methods, the {{jsxref("Promise", "promises")}} returned by them will reject with a `NotAllowedError` {{domxref("DOMException")}}. +> **Note:** Where a policy forbids use of these methods, the {{jsxref("Promise", "promises", "", "nocode")}} returned by them will reject with a `NotAllowedError` {{domxref("DOMException")}}. ### Basic access control