do not call authenticatorMakeCredential() with separate |rpId| fixes #…

…466

index.bs

@@ -526,11 +526,12 @@ When this method is invoked, the user agent MUST execute the following algorithm
 
 1. Let |options| be the value of <code>|options|.{{CredentialCreationOptions/publicKey}}</code>.
 
-1. If any of the {{PublicKeyCredentialEntity/name}} member of |options|.{{MakeCredentialOptions/rp}}, the
-    {{PublicKeyCredentialEntity/name}} member of |options|.{{MakeCredentialOptions/user}},
+1. If any of the {{PublicKeyCredentialEntity/name}} member of <code>|options|.{{MakeCredentialOptions/rp}}</code>, the
+    {{PublicKeyCredentialEntity/name}} member of <code>|options|.{{MakeCredentialOptions/user}}</code>,
     the {{PublicKeyCredentialUserEntity/displayName}} member of |options|.{{MakeCredentialOptions/user}},
     or the {{PublicKeyCredentialEntity/id}}
-    member of |options|.{{MakeCredentialOptions/user}} are [=present|not present=], return a {{TypeError}} [=simple exception=].
+    member of <code>|options|.{{MakeCredentialOptions/user}}</code> are [=present|not present=], return a {{TypeError}}
+    [=simple exception=].
 
 1. If the {{MakeCredentialOptions/timeout}} member of |options| is [=present=], check if its value lies within a
     reasonable range as defined by the platform and if not, correct it to the closest value lying within that range. Set
@@ -551,29 +552,34 @@ When this method is invoked, the user agent MUST execute the following algorithm
         [=ipv6 address=], [=opaque host=], or [=empty host=] -- are disallowed.
 -->
 
-1. Let |rpId| be |effectiveDomain|.
-
 <!-- Note: this next step is actually a top-level step, but bikeshed wanted it indented this much in order to compile w/o errors
 -->
     <li id='CreateCred-DetermineRpId'>
-       If |options|.{{MakeCredentialOptions/rp}}.{{PublicKeyCredentialEntity/id}} is [=present=]:
+        If <code>|options|.{{MakeCredentialOptions/rp}}.{{PublicKeyCredentialEntity/id}}</code>
+            <dl class="switch">
+
+                :   Is [=present=]
+                ::  If <code>|options|.{{MakeCredentialOptions/rp}}.{{PublicKeyCredentialEntity/id}}</code> [=is not a
+                    registrable domain suffix of and is not equal to=] |effectiveDomain|, return a {{DOMException}} whose name
+                    is "{{SecurityError}}", and terminate this algorithm.
 
-        1. If |options|.{{MakeCredentialOptions/rp}}.{{PublicKeyCredentialEntity/id}} [=is not a registrable domain suffix of 
-            and is not equal to=] |effectiveDomain|, return a {{DOMException}} whose name is "{{SecurityError}}", and terminate
-            this algorithm.
+                :   Is [=present|not present=]
+                ::  Set <code>|options|.{{MakeCredentialOptions/rp}}.{{PublicKeyCredentialEntity/id}}</code> to
+                    |effectiveDomain|.
 
-        1. Set |rpId| to |options|.{{MakeCredentialOptions/rp}}.{{PublicKeyCredentialEntity/id}}.
+            </dl>
 
-            Note: |rpId| represents the caller's [=RP ID=]. The [=RP ID=] defaults to being the caller's [=environment settings
-            object/origin=]'s [=effective domain=] unless the caller has explicitly set
-            |options|.{{MakeCredentialOptions/rp}}.{{PublicKeyCredentialEntity/id}} when calling
+        Note: <code>|options|.{{MakeCredentialOptions/rp}}.{{PublicKeyCredentialEntity/id}}</code> represents the caller's
+            [=RP ID=]. The [=RP ID=] defaults to being the caller's [=environment settings object/origin=]'s [=effective
+            domain=] unless the caller has explicitly set
+            <code>|options|.{{MakeCredentialOptions/rp}}.{{PublicKeyCredentialEntity/id}}</code> when calling
             {{CredentialsContainer/create()}}.
     </li>
 
 1. Let |normalizedParameters| be a new [=list=] whose [=list/items=] are pairs of {{PublicKeyCredentialType}} and a
     [=dictionary=] type (as returned by [=normalizing an algorithm=]).
 
-1. [=list/For each=] |current| of |options|.{{MakeCredentialOptions/parameters}}:
+1. [=list/For each=] |current| of <code>|options|.{{MakeCredentialOptions/parameters}}</code>:
     1. If <code>|current|.{{PublicKeyCredentialParameters/type}}</code> does not contain a {{PublicKeyCredentialType}} supported
         by this implementation, then [=continue=].
     1. Let |normalizedAlgorithm| be the result of [=normalizing an algorithm=] [[!WebCryptoAPI]], with |alg| set to
@@ -582,9 +588,9 @@ When this method is invoked, the user agent MUST execute the following algorithm
     1. [=list/Append=] the pair of <code>|current|.{{PublicKeyCredentialParameters/type}}</code> and |normalizedAlgorithm| to
         |normalizedParameters|.
 
-1. If |normalizedParameters| [=list/is empty=] and |options|.{{MakeCredentialOptions/parameters}} [=list/is not empty=],
-    cancel the timer started in step 2, return a {{DOMException}} whose name is "{{NotSupportedError}}", and terminate this
-    algorithm.
+1. If |normalizedParameters| [=list/is empty=] and <code>|options|.{{MakeCredentialOptions/parameters}}</code>
+    [=list/is not empty=], cancel the timer started in step 2, return a {{DOMException}} whose name is "{{NotSupportedError}}",
+    and terminate this algorithm.
 
 1. Let |clientExtensions| be a new [=map=] and let |authenticatorExtensions| be a new [=map=].
 
@@ -628,7 +634,7 @@ When this method is invoked, the user agent MUST execute the following algorithm
 1. If |currentlyAvailableAuthenticators| [=list/is empty=], return a {{DOMException}} whose name is
     "{{NotFoundError}}", and terminate this algorithm.
 
-1. If |options|.{{MakeCredentialOptions/authenticatorSelection}} is [=present|present=], iterate through
+1. If <code>|options|.{{MakeCredentialOptions/authenticatorSelection}}</code> is [=present|present=], iterate through
         |currentlyAvailableAuthenticators| and do the following [=set/for each=] |authenticator|:
     1. If {{AuthenticatorSelectionCriteria/attachment}} is [=present|present=] and its value is not equal
         to |authenticator|'s attachment modality, [=iteration/continue=].
@@ -647,8 +653,8 @@ When this method is invoked, the user agent MUST execute the following algorithm
         1. If <code>|C|.{{transports}}</code> [=list/is not empty=], and |authenticator| is connected over a transport not
             mentioned in <code>|C|.{{transports}}</code>, the client MAY [=continue=].
         1. Otherwise, [=list/Append=] |C| to |excludeCredentialDescriptorList|.
-    1. [=In parallel=], invoke the [=authenticatorMakeCredential=] operation on |authenticator| with |rpId|,
-        |clientDataHash|, |options|.{{MakeCredentialOptions/rp}}, |options|.{{MakeCredentialOptions/user}},
+    1. [=In parallel=], invoke the [=authenticatorMakeCredential=] operation on |authenticator| with
+        |clientDataHash|, <code>|options|.{{MakeCredentialOptions/rp}}</code>, <code>|options|.{{MakeCredentialOptions/user}}</code>,
         |normalizedParameters|, |excludeCredentialDescriptorList|, and |authenticatorExtensions| as parameters.
     1. [=set/Append=] |authenticator| to |issuedRequests|.
 
@@ -693,7 +699,7 @@ When this method is invoked, the user agent MUST execute the following algorithm
             :   {{PublicKeyCredential/clientExtensionResults}}
             ::  A new {{AuthenticationExtensions}} object containing the [=extension identifier=] → [=client extension output=]
                 entries created by running each extension's [=client extension processing=] algorithm to create the [=client
-                extension outputs=], for each [=client extension=] in {{AuthenticatorResponse/clientDataJSON}}.clientExtensions.
+                extension outputs=], for each [=client extension=] in {{AuthenticatorResponse/clientDataJSON}}<code>.clientExtensions</code>.
 
         5. [=set/For each=] remaining |authenticator| in |issuedRequests| invoke the [=authenticatorCancel=] operation on
             |authenticator| and [=set/remove=] it from |issuedRequests|.
@@ -761,7 +767,7 @@ When this method is invoked, the user agent MUST execute the following algorithm
 
                 Otherwise:
 
-                1. If |options|.{{PublicKeyCredentialRequestOptions/rpId}} [=is not a registrable domain suffix of and is not 
+                1. If |options|.{{PublicKeyCredentialRequestOptions/rpId}} [=is not a registrable domain suffix of and is not
                     equal to=] |effectiveDomain|, return a {{DOMException}} whose name is "{{SecurityError}}", and terminate
                     this algorithm.
 
@@ -825,7 +831,7 @@ When this method is invoked, the user agent MUST execute the following algorithm
         <code>|options|.{{PublicKeyCredentialRequestOptions/allowCredentials}}.{{PublicKeyCredentialDescriptor/type}}</code>.
         Set |allowCredentialDescriptorList| to this filtered list.
 
-    1. If |allowCredentialDescriptorList| 
+    1. If |allowCredentialDescriptorList|
         <dl class="switch">
             :   [=list/is not empty=]
             ::  1. Let |distinctTransports| be a new [=ordered set=].
@@ -1537,9 +1543,9 @@ The following operations can be invoked by the client in an authenticator sessio
 This operation must be invoked in an authenticator session which has no other operations in progress. It takes the following
 input parameters:
 
-- The caller's [=RP ID=], as <a href='#CreateCred-DetermineRpId'>determined</a> by the user agent and the client.
 - The [=hash of the serialized client data=], provided by the client.
-- The [=[RP]=]'s {{PublicKeyCredentialEntity}}.
+- The [=[RP]=]'s {{PublicKeyCredentialEntity}}. This contains the caller's [=RP ID=], as
+    <a href='#CreateCred-DetermineRpId'>determined</a> by the user agent and the client.
 - The user account's {{PublicKeyCredentialUserEntity}}.
 - A sequence of pairs of {{PublicKeyCredentialType}} and cryptographic algorithms (a dictionary type) requested by the [=[RP]=],
     where the cryptographic algorithms are normalized as per the procedure in