PublicKeyCredential.getClientCapabilities() - clarify required permission

[hamishwillee]

PublicKeyCredential.getClientCapabilities() spec says:

Note: Invoking this method from a browsing context where the Web Authentication API is "disabled" according to the allowed to use algorithm—i.e., by a permissions policy—will result in the promise being rejected with a DOMException whose name is "NotAllowedError". See also § 5.9 Permissions Policy integration.

However the API is gated by two permissions, and they are quite specific to either creation or fetching credentials. Can you clarify whether it is one permission or both that gates access to this method?

This is for MDN docs for the method mdn/content#37516

[MasterKale]

That text appears to have been copy-pasted from the same text under isUserVerifyingPlatformAuthenticatorAvailable():

https://www.w3.org/TR/webauthn-2/#sctn-isUserVerifyingPlatformAuthenticatorAvailable

It was added to isUVPAA() four years ago as part of #1476. It doesn't sound like it's valid guidance anymore based on modern client behaviors so perhaps we remove it from getCC() at least.

[nsatragno]

Chrome (and Safari? cc @pascoej) never actually shipped a restriction on this or isuvpaa linked to permissions policy. Let's remove this text (and you can ignore it for MDN).

[MasterKale]

I'll make a PR to at least remove this text from getCC() and make the change in L3 so it's editorial. @kreichgauer has volunteered to try and determine if we can remove the same text from isUVPAA() by manually testing Firefox to see if permission policy was imposed on use of the method.

Edit: It's been confirmed that Firefox doesn't impose any such restrictions on use of isUVPAA() that necessitates calling out permissions policy restrictions. The PR will thus feature deletion of this guidance from both API methods.

[hamishwillee]

Thanks very much! FYI, fixed in MDN in mdn/content#38617