addresses #251 for makeCredential(), fixes #268

index.bs

@@ -387,7 +387,8 @@ This method takes the following parameters:
 
 When this method is invoked, the user agent MUST execute the following algorithm:
 
-1. If {{ScopedCredentialOptions/timeoutSeconds}} was specified, check if its value lies within a reasonable range as defined by
+1. If the {{ScopedCredentialOptions/timeoutSeconds}} member of {{options}} is <a>present</a>, check if its value lies 
+    within a reasonable range as defined by
     the platform and if not, correct it to the closest value lying within that range. Set |adjustedTimeout| to this adjusted
     value. If {{ScopedCredentialOptions/timeoutSeconds}} was not specified, then set |adjustedTimeout| to a platform-specific
     default.
@@ -400,9 +401,10 @@ When this method is invoked, the user agent MUST execute the following algorithm
 3. Set |callerOrigin| to the <a link-for='web'>current settings object</a>'s <a link-for='web'>origin</a>. If |callerOrigin| is 
     an <a link-for='web'>opaque origin</a>, reject |promise| with a <a>DOMException</a> whose name is "NotAllowedError", and
     terminate this algorithm. Otherwise,
-    - If {{ScopedCredentialOptions/rpId}} is not specified, then set |rpId| to |callerOrigin|, and |rpIdHash| to the SHA-256
-        hash of |rpId|.
-    - If {{ScopedCredentialOptions/rpId}} is specified, then invoke the procedure used for <a>relaxing the same-origin
+    - If the {{ScopedCredentialOptions/rpId}} member of {{options}} is not <a>present</a>, then set |rpId| to |callerOrigin|, 
+        and |rpIdHash| to the SHA-256 hash of |rpId|.
+    - If the {{ScopedCredentialOptions/rpId}} member of {{options}} is <a>present</a>, then invoke the procedure used for 
+        <a>relaxing the same-origin
         restriction</a> by setting the `document.domain` attribute, using {{ScopedCredentialOptions/rpId}} as the given value
         but without changing the current document's `domain`. If no errors are thrown, set |rpId| to the value of `host` as
         computed by this procedure, and |rpIdHash| to the SHA-256 hash of |rpId|. Otherwise, reject |promise| with a
@@ -421,25 +423,24 @@ When this method is invoked, the user agent MUST execute the following algorithm
 5. If |normalizedAlgorithm| is empty and {{cryptoParameters}} was not empty, cancel the timer started in step 2, reject
     |promise| with a DOMException whose name is "NotSupportedError", and terminate this algorithm.
 
-6. If {{ScopedCredentialOptions/excludeList}} is undefined, set it to the empty list.
-
-7. If {{ScopedCredentialOptions/extensions}} was specified, process any extensions supported by this client platform, to produce
-    the extension data that needs to be sent to the authenticator. If an error is encountered while processing an extension,
-    skip that extension and do not produce any extension data for it. Call the result of this processing |clientExtensions|.
+6. If the {{ScopedCredentialOptions/extensions}} member of {{options}} is <a>present</a>, process any extensions supported by
+    this client platform, to produce the extension data that needs to be sent to the authenticator. If an error is encountered
+    while processing an extension, skip that extension and do not produce any extension data for it. Call the result of this
+    processing |clientExtensions|.
 
-8. Use {{attestationChallenge}}, |callerOrigin| and |rpId|, along with the token binding key associated with |callerOrigin| (if
+7. Use {{attestationChallenge}}, |callerOrigin| and |rpId|, along with the token binding key associated with |callerOrigin| (if
     any), to create a {{ClientData}} structure representing this request. Choose a hash algorithm for {{ClientData/hashAlg}} and
     compute the <a>clientDataJSON</a> and <a>clientDataHash</a>.
 
-9. Initialize |issuedRequests| to an empty list.
+8. Initialize |issuedRequests| to an empty list.
 
-10. For each authenticator currently available on this platform: asynchronously invoke the <a>authenticatorMakeCredential</a>
+9. For each authenticator currently available on this platform: asynchronously invoke the <a>authenticatorMakeCredential</a>
     operation on that authenticator with |rpIdHash|, <a>clientDataHash</a>, {{accountInformation}}, |normalizedParameters|,
     {{ScopedCredentialOptions/excludeList}} and |clientExtensions| as parameters. Add a corresponding entry to |issuedRequests|.
-    - For each credential C in {{ScopedCredentialOptions/excludeList}} that has a non-empty |transports| list, optionally use
-        only the specified transports to test for the existence of C.
+    - For each credential C in the {{ScopedCredentialOptions/excludeList}} member of {{options}} that has a non-empty
+    |transports| list, optionally use only the specified transports to test for the existence of C.
 
-11. While |issuedRequests| is not empty, perform the following actions depending upon the |adjustedTimeout| timer and responses
+10. While |issuedRequests| is not empty, perform the following actions depending upon the |adjustedTimeout| timer and responses
     from the authenticators:
     - If the |adjustedTimeout| timer expires, then for each entry in |issuedRequests| invoke the <a>authenticatorCancel</a>
         operation on that authenticator and remove its entry from the list.
@@ -455,7 +456,7 @@ When this method is invoked, the user agent MUST execute the following algorithm
             remove its entry from the list.
         - Resolve |promise| with |value| and terminate this algorithm.
 
-12. Reject |promise| with a <a>DOMException</a> whose name is "NotAllowedError", and terminate this algorithm.
+11. Reject |promise| with a <a>DOMException</a> whose name is "NotAllowedError", and terminate this algorithm.
 
 During the above process, the user agent SHOULD show some UI to the user to guide them in the process of selecting and
 authorizing an authenticator.
@@ -509,7 +510,7 @@ When this method is invoked, the user agent MUST execute the following algorithm
 6. Initialize |issuedRequests| to an empty list.
 
 7. For each authenticator currently available on this platform, perform the following steps:
-    - If {{AssertionOptions/allowList}} is undefined or empty, let |credentialList| be an empty list. Otherwise, execute a
+    - If {{AssertionOptions/allowList}} is empty, let |credentialList| be an empty list. Otherwise, execute a
         platform-specific procedure to determine which, if any, credentials listed in {{AssertionOptions/allowList}} might be
         present on this authenticator, and set |credentialList| to this filtered list. If no such filtering is possible, set
         |credentialList| to an empty list.
@@ -625,10 +626,10 @@ authorizing an authenticator with which to complete the operation.
 
 <pre class="idl">
     dictionary ScopedCredentialOptions {
-        unsigned long                             timeoutSeconds;
-        USVString                                 rpId;
-        sequence < ScopedCredentialDescriptor >  excludeList;
-        WebAuthnExtensions                        extensions;
+        unsigned long                           timeoutSeconds;
+        USVString                               rpId;
+        sequence < ScopedCredentialDescriptor > excludeList = [];
+        WebAuthnExtensions                      extensions;
     };
 </pre>
 
@@ -687,10 +688,10 @@ user consent to a specific transaction. The structure of these signatures is def
 
 <pre class="idl">
     dictionary AssertionOptions {
-        unsigned long                            timeoutSeconds;
-        USVString                                rpId;
-        sequence < ScopedCredentialDescriptor > allowList;
-        WebAuthnExtensions                       extensions;
+        unsigned long                           timeoutSeconds;
+        USVString                               rpId;
+        sequence < ScopedCredentialDescriptor > allowList = [];
+        WebAuthnExtensions                      extensions;
     };
 </pre>