[webauthn] Match Conditional UI API to spec

Update the WebAuthn Conditional UI API to match the proposed
specification, replacing the conditionalPublicKey attribute with a
"conditional" mediation value. Attempting to set the mediation to
"conditional" for password or federated credentials will result in a
NotSupportedError. Setting the value for WebAuthn requests will be
ignored unless the WebAuthenticationConditionalUI flag is enabled.

PR spec: w3c/webauthn#1576

Design doc:
https://docs.google.com/document/d/1KzEWP0aoLMZ0asfw6d3-7UHJ6csTtxLA478EgptCvkk

Bug: 1171985
Change-Id: Ia0045d7fd9becadeadaa362b29ddd56dc38a79b2
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2780274
Reviewed-by: Martin Kreichgauer <martinkr@google.com>
Commit-Queue: Nina Satragno <nsatragno@chromium.org>
Cr-Commit-Position: refs/heads/master@{#866725}

Author: nsatragno

chrome/browser/ui/views/webauthn/webauthn_icon_interactive_uitest.cc

@@ -108,10 +108,13 @@ IN_PROC_BROWSER_TEST_F(WebAuthUITest, ConditionalUI) {
       });
 
   constexpr char kGetAssertion[] =
-      "navigator.credentials.get({conditionalPublicKey: {"
-      "  challenge: new Uint8Array([1,2,3,4]),"
-      "  timeout: 1000,"
-      "}}).then(c => window.domAutomationController.send(c ? 'OK' : 'c null'),"
+      "navigator.credentials.get({"
+      "  publicKey: {"
+      "    challenge: new Uint8Array([1,2,3,4]),"
+      "    timeout: 1000,"
+      "  },"
+      "  mediation: 'conditional'"
+      "}).then(c => window.domAutomationController.send(c ? 'OK' : 'c null'),"
       "         e => window.domAutomationController.send(e.toString()));";
   content::WebContents* const web_contents =
       browser()->tab_strip_model()->GetActiveWebContents();

third_party/blink/renderer/modules/credentialmanager/credential_request_options.idl

@@ -7,7 +7,8 @@
 enum CredentialMediationRequirement {
   "silent",
   "optional",
-  "required"
+  "required",
+  "conditional"
 };
 
 dictionary CredentialRequestOptions {
@@ -19,8 +20,6 @@ dictionary CredentialRequestOptions {
     [RuntimeEnabled=WebOTP] OTPCredentialRequestOptions otp;
 
     PublicKeyCredentialRequestOptions publicKey;
-    [RuntimeEnabled=WebAuthenticationConditionalUI]
-    PublicKeyCredentialRequestOptions conditionalPublicKey;
 
     AbortSignal signal;
 };

third_party/blink/renderer/modules/credentialmanager/credentials_container.cc

@@ -937,7 +937,7 @@ ScriptPromise CredentialsContainer::get(
 
   auto required_origin_type = RequiredOriginType::kSecureAndSameWithAncestors;
   // hasPublicKey() implies that this is a WebAuthn request.
-  if ((options->hasPublicKey() || options->hasConditionalPublicKey()) &&
+  if (options->hasPublicKey() &&
       RuntimeEnabledFeatures::
           WebAuthenticationGetAssertionFeaturePolicyEnabled()) {
     required_origin_type = RequiredOriginType::
@@ -951,17 +951,7 @@ ScriptPromise CredentialsContainer::get(
     return promise;
   }
 
-  if (options->hasPublicKey() || options->hasConditionalPublicKey()) {
-    const PublicKeyCredentialRequestOptions* public_key_options;
-    bool is_conditional_ui_request;
-    if (options->hasPublicKey()) {
-      public_key_options = options->publicKey();
-      is_conditional_ui_request = false;
-    } else {
-      public_key_options = options->conditionalPublicKey();
-      is_conditional_ui_request = true;
-    }
-
+  if (options->hasPublicKey()) {
     auto cryptotoken_origin = SecurityOrigin::Create(KURL(kCryptotokenOrigin));
     if (!cryptotoken_origin->IsSameOriginWith(
             resolver->GetExecutionContext()->GetSecurityOrigin())) {
@@ -972,21 +962,21 @@ ScriptPromise CredentialsContainer::get(
     }
 
 #if defined(OS_ANDROID)
-    if (public_key_options->hasExtensions() &&
-        public_key_options->extensions()->hasUvm()) {
+    if (options->publicKey()->hasExtensions() &&
+        options->publicKey()->extensions()->hasUvm()) {
       UseCounter::Count(resolver->GetExecutionContext(),
                         WebFeature::kCredentialManagerGetWithUVM);
     }
 #endif
-    if (!IsArrayBufferOrViewBelowSizeLimit(public_key_options->challenge())) {
+    if (!IsArrayBufferOrViewBelowSizeLimit(options->publicKey()->challenge())) {
       resolver->Reject(DOMException::Create(
           "The `challenge` attribute exceeds the maximum allowed size.",
           "RangeError"));
       return promise;
     }
-    if (public_key_options->hasExtensions()) {
-      if (public_key_options->extensions()->hasAppid()) {
-        const auto& appid = public_key_options->extensions()->appid();
+    if (options->publicKey()->hasExtensions()) {
+      if (options->publicKey()->extensions()->hasAppid()) {
+        const auto& appid = options->publicKey()->extensions()->appid();
         if (!appid.IsEmpty()) {
           KURL appid_url(appid);
           if (!appid_url.IsValid()) {
@@ -998,24 +988,24 @@ ScriptPromise CredentialsContainer::get(
           }
         }
       }
-      if (public_key_options->extensions()->hasCableRegistration()) {
+      if (options->publicKey()->extensions()->hasCableRegistration()) {
         resolver->Reject(MakeGarbageCollected<DOMException>(
             DOMExceptionCode::kNotSupportedError,
             "The 'cableRegistration' extension is only valid when creating "
             "a credential"));
         return promise;
       }
-      if (public_key_options->extensions()->credProps()) {
+      if (options->publicKey()->extensions()->credProps()) {
         resolver->Reject(MakeGarbageCollected<DOMException>(
             DOMExceptionCode::kNotSupportedError,
             "The 'credProps' extension is only valid when creating "
             "a credential"));
         return promise;
       }
-      if (public_key_options->extensions()->hasLargeBlob()) {
+      if (options->publicKey()->extensions()->hasLargeBlob()) {
         DCHECK(RuntimeEnabledFeatures::
                    WebAuthenticationLargeBlobExtensionEnabled());
-        if (public_key_options->extensions()->largeBlob()->hasSupport()) {
+        if (options->publicKey()->extensions()->largeBlob()->hasSupport()) {
           resolver->Reject(MakeGarbageCollected<DOMException>(
               DOMExceptionCode::kNotSupportedError,
               "The 'largeBlob' extension's 'support' parameter is only valid "
@@ -1025,7 +1015,7 @@ ScriptPromise CredentialsContainer::get(
       }
     }
 
-    if (!public_key_options->hasUserVerification()) {
+    if (!options->publicKey()->hasUserVerification()) {
       resolver->DomWindow()->AddConsoleMessage(
           MakeGarbageCollected<ConsoleMessage>(
               mojom::blink::ConsoleMessageSource::kJavaScript,
@@ -1050,17 +1040,19 @@ ScriptPromise CredentialsContainer::get(
           WTF::Bind(&AbortPublicKeyRequest, WrapPersistent(script_state)));
     }
 
+    bool is_conditional_ui_request = conditionalMediationSupported() &&
+                                     options->mediation() == "conditional";
     if (is_conditional_ui_request &&
-        public_key_options->hasAllowCredentials() &&
-        !public_key_options->allowCredentials().IsEmpty()) {
+        options->publicKey()->hasAllowCredentials() &&
+        !options->publicKey()->allowCredentials().IsEmpty()) {
       resolver->Reject(MakeGarbageCollected<DOMException>(
           DOMExceptionCode::kNotAllowedError,
           "allowCredentials is not supported for conditionalPublicKey"));
       return promise;
     }
 
     auto mojo_options =
-        MojoPublicKeyCredentialRequestOptions::From(*public_key_options);
+        MojoPublicKeyCredentialRequestOptions::From(*options->publicKey());
     if (mojo_options) {
       mojo_options->is_conditional = is_conditional_ui_request;
       if (!mojo_options->relying_party_id) {
@@ -1117,6 +1109,12 @@ ScriptPromise CredentialsContainer::get(
   }
 
   CredentialMediationRequirement requirement;
+  if (options->mediation() == "conditional") {
+    resolver->Reject(MakeGarbageCollected<DOMException>(
+        DOMExceptionCode::kNotSupportedError,
+        "Conditional mediation is not supported for this credential type"));
+    return promise;
+  }
   if (options->mediation() == "silent") {
     UseCounter::Count(ExecutionContext::From(script_state),
                       WebFeature::kCredentialManagerGetMediationSilent);
@@ -1419,6 +1417,10 @@ ScriptPromise CredentialsContainer::preventSilentAccess(
   return promise;
 }
 
+bool CredentialsContainer::conditionalMediationSupported() {
+  return RuntimeEnabledFeatures::WebAuthenticationConditionalUIEnabled();
+}
+
 void CredentialsContainer::Trace(Visitor* visitor) const {
   ScriptWrappable::Trace(visitor);
   Supplement<Navigator>::Trace(visitor);

third_party/blink/renderer/modules/credentialmanager/credentials_container.h

@@ -36,6 +36,7 @@ class MODULES_EXPORT CredentialsContainer final : public ScriptWrappable,
                        const CredentialCreationOptions*,
                        ExceptionState&);
   ScriptPromise preventSilentAccess(ScriptState*);
+  bool conditionalMediationSupported();
 
   void Trace(Visitor*) const override;
 };

third_party/blink/renderer/modules/credentialmanager/credentials_container.idl

@@ -10,4 +10,5 @@ interface CredentialsContainer {
     [CallWith=ScriptState, MeasureAs=CredentialManagerStore] Promise<Credential> store(Credential credential);
     [CallWith=ScriptState, RaisesException, MeasureAs=CredentialManagerCreate] Promise<Credential?> create(optional CredentialCreationOptions options = {});
     [CallWith=ScriptState, MeasureAs=CredentialManagerPreventSilentAccess] Promise<void> preventSilentAccess();
+    [RuntimeEnabled=WebAuthenticationConditionalUI] readonly attribute boolean conditionalMediationSupported;
 };