Correct the error type thrown during WebAuthn credential creation for 'payment' credentials. Due to a historic specification mismatch, creating a 'payment' credential in a cross-origin iframe without a user activation would throw a SecurityError instead of a NotAllowedError, which is what is thrown for non-payment credentials. This is a breaking change, albeit a niche one. Code that previously detected the type of error thrown (e.g., `e instanceof SecurityError`) would be affected. Code that just generally handles errors during credential creation (e.g. `catch (e)`) will continue to function correctly.
As part of Secure Payment Confirmation (SPC), WebAuthn credentials with the 'payment' extension could be created in a cross-origin iframe before this was allowed for other WebAuthn credentials. When the ability to do this for all WebAuthn credentials was added in https://github.com/w3c/webauthn/pull/1801, an accidental spec misalignment was made. In the very specific case of credential creation in a cross-origin iframe without user activation, the SPC spec said to throw a SecurityError, whilst the WebAuthn spec said to throw a NotAllowedError. This misalignment has now been corrected at the specification level (https://github.com/w3c/secure-payment-confirmation/issues/267), and so left Chromium as non-compliant with the specification.
Explainers: https://github.com/w3c/secure-payment-confirmation/issues/267