merge from master

w3c · Jun 8, 2017 · 3ea36d7 · 3ea36d7
2 parents adc0373 + d8b103a
commit 3ea36d7
Showing 1 changed file with 52 additions and 30 deletions.
diff --git a/index.bs b/index.bs
@@ -497,6 +497,7 @@ To support obtaining assertions via {{CredentialsContainer/get()|navigator.crede
     };
 </pre>
 
+
 ### Create a new credential - PublicKeyCredential's `[[Create]](options)` method ### {#createCredential}
 
 <div link-for-hint="PublicKeyCredential/[[Create]](options)">
@@ -550,21 +551,25 @@ When this method is invoked, the user agent MUST execute the following algorithm
         [=ipv6 address=], [=opaque host=], or [=empty host=] -- are disallowed.
 -->
 
+1. Let |rpId| be |effectiveDomain|.
+
 <!-- Note: this next step is actually a top-level step, but bikeshed wanted it indented this much in order to compile w/o errors
 -->
-1. Let |rpId| be |effectiveDomain|.
     <li id='CreateCred-DetermineRpId'>
        If |options|.{{MakeCredentialOptions/rp}}.{{PublicKeyCredentialEntity/id}} is [=present=]:
 
-        1. If |options|.{{MakeCredentialOptions/rp}}.{{PublicKeyCredentialEntity/id}} [=is not a registrable domain suffix of and is
-            not equal to=] |effectiveDomain|, return a {{DOMException}} whose name is "{{SecurityError}}", and terminate this
-            algorithm.
+        1. If |options|.{{MakeCredentialOptions/rp}}.{{PublicKeyCredentialEntity/id}} [=is not a registrable domain suffix of 
+            and is not equal to=] |effectiveDomain|, return a {{DOMException}} whose name is "{{SecurityError}}", and terminate
+            this algorithm.
+
         1. Set |rpId| to |options|.{{MakeCredentialOptions/rp}}.{{PublicKeyCredentialEntity/id}}.
 
             Note: |rpId| represents the caller's [=RP ID=]. The [=RP ID=] defaults to being the caller's [=environment settings
             object/origin=]'s [=effective domain=] unless the caller has explicitly set
-            |options|.{{MakeCredentialOptions/rp}}.{{PublicKeyCredentialEntity/id}} when calling {{CredentialsContainer/create()}}.
+            |options|.{{MakeCredentialOptions/rp}}.{{PublicKeyCredentialEntity/id}} when calling
+            {{CredentialsContainer/create()}}.
     </li>
+
 1. Let |normalizedParameters| be a new [=list=] whose [=list/items=] are pairs of {{PublicKeyCredentialType}} and a
     [=dictionary=] type (as returned by [=normalizing an algorithm=]).
 
@@ -751,18 +756,22 @@ When this method is invoked, the user agent MUST execute the following algorithm
 -->
 
         <li id='GetAssn-DetermineRpId'>
-            If |options|.{{PublicKeyCredentialRequestOptions/rpId}} is [=present|not present=], then set |rpId| to |effectiveDomain|.
+            If |options|.{{PublicKeyCredentialRequestOptions/rpId}} is [=present|not present=], then set |rpId| to
+                |effectiveDomain|.
 
                 Otherwise:
 
-                1. If |options|.{{PublicKeyCredentialRequestOptions/rpId}} [=is not a registrable domain suffix of and is not equal to=]
-                    |effectiveDomain|, return a {{DOMException}} whose name is "{{SecurityError}}", and terminate this algorithm.
+                1. If |options|.{{PublicKeyCredentialRequestOptions/rpId}} [=is not a registrable domain suffix of and is not 
+                    equal to=] |effectiveDomain|, return a {{DOMException}} whose name is "{{SecurityError}}", and terminate
+                    this algorithm.
+
                 1. Set |rpId| to |options|.{{PublicKeyCredentialRequestOptions/rpId}}.
 
-                    Note: |rpId| represents the caller's [=RP ID=]. The [=RP ID=] defaults to being the caller's [=environment settings
-                    object/origin=]'s [=effective domain=] unless the caller has explicitly set
+                    Note: |rpId| represents the caller's [=RP ID=]. The [=RP ID=] defaults to being the caller's [=environment
+                    settings object/origin=]'s [=effective domain=] unless the caller has explicitly set
                     |options|.{{PublicKeyCredentialRequestOptions/rpId}} when calling {{CredentialsContainer/get()}}.
         </li>
+
 1. Let |clientExtensions| be a new [=map=] and let |authenticatorExtensions| be a new [=map=].
 
 1. If the {{PublicKeyCredentialRequestOptions/extensions}} member of |options| is [=present=], then [=map/for each=]
@@ -802,30 +811,42 @@ When this method is invoked, the user agent MUST execute the following algorithm
 1. If there are no [=authenticators=] currently available on this platform, return a {{DOMException}} whose name is
     "{{NotFoundError}}", and terminate this algorithm.
 
-1. For each |authenticator| currently available on this platform, perform the following steps:
-
-    1. Let |credentialList| be a new [=list=].
-
-    1. If <code>|options|.{{PublicKeyCredentialRequestOptions/allowCredentials}}</code> [=list/is not empty=], execute a
-        platform-specific procedure to determine which, if any, credentials in
-        <code>|options|.{{PublicKeyCredentialRequestOptions/allowCredentials}}</code> are present on this |authenticator| by
-        matching with
-        <code>|options|.{{PublicKeyCredentialRequestOptions/allowCredentials}}.{{PublicKeyCredentialDescriptor/id}}</code> and
-        <code>|options|.{{PublicKeyCredentialRequestOptions/allowCredentials}}.{{PublicKeyCredentialDescriptor/type}}</code>,
-        and set |credentialList| to this filtered list.
+1. Let |authenticator| be a platform-specific handle whose value identifies an [=authenticator=].
 
-    1. If |credentialList| [=list/is empty=] then [=continue=].
+1. For each |authenticator| currently available on this platform, perform the following steps:
 
-    1. [=In parallel=], [=list/for each=] credential |C| in |credentialList|:
-        1. If <code>|C|.{{transports}}</code> [=list/is not empty=], the client SHOULD select one |transport| from
-            {{transports}}. Then, using |transport|, invoke the [=authenticatorGetAssertion=] operation on |authenticator|, with
-            |rpId|, |clientDataHash|, |credentialList|, and |authenticatorExtensions| as parameters.
-        1. Otherwise, using local configuration knowledge of the appropriate transport to use with |authenticator|, invoke the
-            [=authenticatorGetAssertion=] operation on |authenticator| with |rpId|, |clientDataHash|, |credentialList|, and
-            |clientExtensions| as parameters.
+    1. Let |credentialDescriptorList| be a new [=list=].
+
+    1. If <code>|options|.{{PublicKeyCredentialRequestOptions/allowList}}</code> [=list/is not empty=], execute a
+        platform-specific procedure to determine which, if any, [=public key credentials=] described by
+        <code>|options|.{{PublicKeyCredentialRequestOptions/allowList}}</code> are bound to this |authenticator|, by
+        matching with |rpId|,
+        <code>|options|.{{PublicKeyCredentialRequestOptions/allowList}}.{{PublicKeyCredentialDescriptor/id}}</code>, and
+        <code>|options|.{{PublicKeyCredentialRequestOptions/allowList}}.{{PublicKeyCredentialDescriptor/type}}</code>.
+        Set |credentialDescriptorList| to this filtered list.
+
+    1. If |credentialDescriptorList| 
+        <dl class="switch">
+            :   [=list/is not empty=]
+            ::  [=in parallel=], [=list/for each=] credential |C| in |credentialDescriptorList|:
+                1. If <code>|C|.{{transports}}</code> [=list/is not empty=], the client SHOULD select one |transport| from
+                    {{transports}}. Then, using |transport|, invoke the [=authenticatorGetAssertion=] operation on
+                    |authenticator|, with |rpId|, |clientDataHash|, |credentialDescriptorList|, and |authenticatorExtensions| as
+                    parameters.
+
+                1. Otherwise, using local configuration knowledge of the appropriate transport to use with |authenticator|, 
+                    invoke the [=authenticatorGetAssertion=] operation on |authenticator| with |rpId|,
+                    |clientDataHash|, |credentialDescriptorList|, and |clientExtensions| as parameters.
+
+            :   [=list/is empty=]
+            ::  Using local configuration knowledge of the appropriate transport to use with |authenticator|, invoke
+                [=in parallel=] the [=authenticatorGetAssertion=] operation on |authenticator| with |rpId|, |clientDataHash|,
+                and |clientExtensions| as parameters.
+        </dl>
 
     1. [=set/Append=] |authenticator| to |issuedRequests|.
 
+
 1. Start a timer for |adjustedTimeout| milliseconds. Then execute the following steps [=in parallel=]. The [=task source=] for
     these [=tasks=] is the [=dom manipulation task source=].
 
@@ -883,6 +904,7 @@ During the above process, the user agent SHOULD show some UI to the user to guid
 authorizing an authenticator with which to complete the operation.
 </div>
 
+
 ## Authenticator Responses (interface <dfn interface>AuthenticatorResponse</dfn>) ## {#iface-authenticatorresponse}
 
 [=Authenticators=] respond to [=[RP]=] requests by returning an object derived from the
@@ -1186,7 +1208,7 @@ an assertion. Its {{PublicKeyCredentialRequestOptions/challenge}} member must be
     :   <dfn>allowCredentials</dfn>
     ::  This optional member contains a list of {{PublicKeyCredentialDescriptor}} object representing [=public key credentials=]
         acceptable to the caller, in decending order of the caller's preference (the first item in the list is the most
-        preferred credential, and so on down the line).
+        preferred credential, and so on down the list).
 
     :   <dfn>extensions</dfn>
     ::  This optional member contains additional parameters requesting additional processing by the client and authenticator.