diff --git a/index.bs b/index.bs
index cb7037169..41626ea9f 100644
--- a/index.bs
+++ b/index.bs
@@ -36,6 +36,7 @@ Former Editor: Rolf Lindemann, w3cid 84447, Nok Nok Labs, rolf@noknok.com
!Contributors: Christiaan Brand (Google)
!Contributors: Adam Langley (Google)
!Contributors: Giridhar Mandyam (Qualcomm)
+!Contributors: Pascoe (Apple)
!Contributors: Nina Satragno (Google)
!Contributors: Ki-Eun Shin (SK Telecom)
!Contributors: Nick Steele (1Password)
@@ -1582,15 +1583,16 @@ that are returned to the caller when a new credential is created, or a new asser
: {{PublicKeyCredential/isConditionalMediationAvailable()}}
:: {{PublicKeyCredential}} overrides this method to indicate availability for {{CredentialMediationRequirement/conditional}}
- mediation. [=[WRPS]=] SHOULD verify availability before attempting to set
- |options|.{{CredentialRequestOptions/mediation}} to {{CredentialMediationRequirement/conditional}}.
+ mediation during {{CredentialsContainer/get()|navigator.credentials.get()}}. [=[WRPS]=] SHOULD verify availability before
+ attempting to set |options|.{{CredentialRequestOptions/mediation}} to {{CredentialMediationRequirement/conditional}}.
Upon invocation, a promise is returned that resolves with a value of [TRUE] if {{CredentialMediationRequirement/conditional}}
[=user mediation=] is available, or [FALSE] otherwise.
This method has no arguments and returns a promise to a Boolean value.
- Note: If this method is not present, {{CredentialMediationRequirement/conditional}} [=user mediation=] is not available.
+ Note: If this method is not present, {{CredentialMediationRequirement/conditional}} [=user mediation=] is not available for
+ {{CredentialsContainer/get()|navigator.credentials.get()}}.
: {{PublicKeyCredential/toJSON()}}
:: This operation returns {{RegistrationResponseJSON}} or {{AuthenticationResponseJSON}},
@@ -1736,8 +1738,16 @@ To support obtaining assertions via {{CredentialsContainer/get()|navigator.crede
{{PublicKeyCredential}}'s [=interface object=]'s implementation of the \[[Create]](origin,
options, sameOriginWithAncestors) [=internal method=] [[!CREDENTIAL-MANAGEMENT-1]] allows
[=[WRP]=] scripts to call {{CredentialsContainer/create()|navigator.credentials.create()}} to request the creation of a new
-[=public key credential source=], [=bound credential|bound=] to an [=authenticator=]. This
-{{CredentialsContainer/create()|navigator.credentials.create()}} operation can be aborted by leveraging the {{AbortController}};
+[=public key credential source=], [=bound credential|bound=] to an [=authenticator=].
+
+By setting |options|.{{CredentialCreationOptions/mediation}} to {{CredentialMediationRequirement/conditional}},
+[=[RPS]=] can indicate that they would like to register a credential without prominent modal UI if user has already consented to create a credential. The [=[RP]=] SHOULD first check that {{ClientCapability/conditionalCreate}} is present
+in the result of {{PublicKeyCredential/getClientCapabilities()}} in order to avoid the possibility of causing a user-visible error to be returned if the user agent does
+not support {{CredentialMediationRequirement/conditional}} [=user mediation=] for {{CredentialsContainer/create()|navigator.credentials.create()}}.
+The client MUST set BOTH |requireUserPresence| and |requireUserVerification| to |FALSE| when |options|.{{CredentialCreationOptions/mediation}} is set to {{CredentialMediationRequirement/conditional}}
+unless they may explicitly performed during the ceremony.
+
+Any {{CredentialsContainer/create()|navigator.credentials.create()}} operation can be aborted by leveraging the {{AbortController}};
see [[dom#abortcontroller-api-integration]] for detailed instructions.
@@ -1776,6 +1786,11 @@ When this method is invoked, the user agent MUST execute the following algorithm
1. If sameOriginWithAncestors is [FALSE]:
+ 1. If |options|.{{CredentialCreationOptions/mediation}} is present with the value
+ {{CredentialMediationRequirement/conditional}}:
+
+ 1. Throw a "{{NotAllowedError}}" {{DOMException}}
+
1. If the [=relevant global object=], as determined by the calling
{{CredentialsContainer/create()}} implementation, does not have
[=transient activation=]:
@@ -1912,6 +1927,16 @@ a numbered step. If outdented, it (today) is rendered as a bullet in the midst o
[=authenticators=] can be hot-plugged into (e.g., via USB)
or discovered (e.g., via NFC or Bluetooth) by the [=client=] by various mechanisms, or permanently built into the [=client=].
+1. If |options|.{{CredentialCreationOptions/mediation}} is present with the value
+ {{CredentialMediationRequirement/conditional}}:
+
+ 1. If the user agent has not recently mediated an authentication, the origin of said authentication is not |callerOrigin|, or the user
+ does not consent to this type of credential creation, throw a "{{NotAllowedError}}" {{DOMException}}.
+
+ It is up to the user agent to decide when it believes an authentication ceremony has
+ been completed. That authentication ceremony MAY be performed via other means than the
+ [=Web Authentication API=].
+
1. Consider the value of {{PublicKeyCredentialCreationOptions/hints}} and craft the user interface accordingly, as the user-agent sees fit.
1. Start |lifetimeTimer|.
@@ -2000,7 +2025,10 @@ a numbered step. If outdented, it (today) is rendered as a bullet in the midst o
: is set to {{UserVerificationRequirement/required}}
- :: Let |userVerification| be [TRUE].
+ :: 1. If |options|.{{CredentialCreationOptions/mediation}} is set to {{CredentialMediationRequirement/conditional}}
+ and [=user verification=] cannot be collected during the ceremony,
+ throw a {{ConstraintError}} {{DOMException}}.
+ 1. Let |userVerification| be [TRUE].
: is set to {{UserVerificationRequirement/preferred}}
:: If the |authenticator|
@@ -2199,7 +2227,7 @@ a numbered step. If outdented, it (today) is rendered as a bullet in the midst o
[[#sctn-make-credential-privacy]] for details.
During the above process, the user agent SHOULD show some UI to the user to guide them in the process of selecting and
-authorizing an authenticator.
+authorizing an authenticator. When |options|.{{CredentialCreationOptions/mediation}} is set to {{CredentialMediationRequirement/conditional}}, prominent modal UI should not be shown unless credential creation was previously consented to via means determined by the user agent.
@@ -4612,9 +4640,7 @@ It takes the following input parameters:
: |requireResidentKey|
:: The [=effective resident key requirement for credential creation=], a Boolean value determined by the [=client=].
: |requireUserPresence|
-:: The constant Boolean value [TRUE].
- It is included here as a pseudo-parameter to simplify applying this abstract authenticator model to implementations that may
- wish to make a [=test of user presence=] optional although WebAuthn does not.
+:: The constant Boolean value [TRUE], or |FALSE| when |options|.{{CredentialCreationOptions/mediation}} is set to {{CredentialMediationRequirement/conditional}} and the user agent previously collected consent from the user.
: |requireUserVerification|
:: The [=effective user verification requirement for credential creation=], a Boolean value determined by the [=client=].
: |credTypesAndPubKeyAlgs|
@@ -5369,7 +5395,7 @@ a numbered step. If outdented, it (today) is rendered as a bullet in the midst o
1. Verify that the [=rpIdHash=] in |authData| is the SHA-256 hash of the [=RP ID=] expected by the [=[RP]=].
-1. Verify that the [=UP=] bit of the [=flags=] in |authData| is set.
+1. Verify that the [=UP=] bit of the [=flags=] in |authData| is set, unless |options|.{{CredentialCreationOptions/mediation}} is set to {{CredentialMediationRequirement/conditional}}.
1. If the [=[RP]=] requires [=user verification=] for this registration,
verify that the [=authData/flags/UV=] bit of the [=flags=] in |authData| is set.