Hey Martin, Rick pointed out in API OWNERS that I'd missed this was already shipped, which I guess obviates my previous question. LGTM1 conditional on the various reviews being requested via the tool (security, enterprise, debuggability, and testing).
Best, Alex On Tuesday, January 20, 2026 at 11:48:05 AM UTC-8 Alex Russell wrote: > I'm inclined to LGTM this in light of Apple already shipping, but it's > strange that no considered alternatives are discussed in the Explainer. > Were these sorted out in the TAG review? Is there a link to that discussion > somewhere? > > Best, > > Alex > > On Friday, January 16, 2026 at 8:53:01 AM UTC-8 Rick Byers wrote: > >> Thanks for acknowledging the mistake and sending this retroactively >> Martin. No concerns with the intent from me, LGTM1. >> >> Sorry we didn't have any way in our 'webexposed' tests to double-check >> for approvals for this sort of new feature (JSON-schema only change to the >> argument of a web-exposed API). I don't see any reliable and low-friction >> check we could add for cases like this, so I think we should just chalk >> this up as a known limitation of our heuristics. Mistakes like this do >> happen occasionally but IMHO they are extremely rare so not something I >> think we need to take special action on. >> >> >> >> On Thu, Jan 15, 2026 at 3:58 PM 'Martin Kreichgauer' via blink-dev < >> [email protected]> wrote: >> >>> Hello API Owners, >>> >>> This feature was launched on Desktop in Chrome 136 and Android in 142, >>> and we unfortunately forgot to request Intent to Ship approvals. I just >>> realized this mistake while we were cleaning up old feature flags, my >>> apologies. Are there any concerns or could we please have retroactive LGTMs? >>> >>> For context, this was an additional feature to WebAuthn that had an >>> already existing spec and an implementation in WebKit. Several large >>> Relying Parties have adopted it already. >>> >>> Thanks, >>> Martin Kreichgauer >>> >>> >>> >>> On Thu, Jan 15, 2026 at 12:57 PM Chromestatus < >>> [email protected]> wrote: >>> >>>> *Contact emails* >>>> [email protected] >>>> >>>> *Specification* >>>> >>>> https://w3c.github.io/webappsec-credential-management/#dom-credentialmediationrequirement-conditional:~:text=For%20create >>>> >>>> >>>> *Summary* >>>> WebAuthn Conditional Create allows websites to automatically create >>>> passkeys for existing users that have a matching password saved in their >>>> password manager. >>>> >>>> *Blink component* >>>> Blink>WebAuthentication >>>> <https://issues.chromium.org/issues?q=customfield1222907:%22Blink%3EWebAuthentication%22> >>>> >>>> *Web Feature ID* >>>> *No information provided* >>>> >>>> *Motivation* >>>> WebAuthn Conditional Create requests let a website (aka a Relying Party >>>> or RP) create a passkey without prominent modal mediation, if the user has >>>> previously consented to credential creation. The motivating use case is >>>> commonly referred to as "passkey upgrades". I.e., if the >>>> browser/credential >>>> manager already stores an existing password credential for the same >>>> website/relying party and user, conditional create allows the the website >>>> automatically create a matching passkey. An explainer with more >>>> information >>>> is hosted in the W3C WebAuthn wiki: >>>> https://github.com/w3c/webauthn/wiki/Explainer:-Conditional-Registration-Extension >>>> >>>> >>>> *Initial public proposal* >>>> *No information provided* >>>> >>>> *TAG review* >>>> *No information provided* >>>> >>>> *TAG review status* >>>> Issues addressed >>>> >>>> *Risks* >>>> >>>> >>>> *Interoperability and Compatibility* >>>> WebKit already shipped this feature ahead of Blink, so this launch is >>>> positive for interoperability. >>>> >>>> *Gecko*: No signal >>>> >>>> *WebKit*: Shipped/Shipping ( >>>> https://developer.apple.com/documentation/safari-release-notes/safari-18-release-notes#Authentication:~:text=Implemented%20conditional%20credential%20creation.%20 >>>> ) >>>> >>>> *Web developers*: No signals >>>> >>>> *Other signals*: >>>> >>>> *WebView application risks* >>>> >>>> Does this intent deprecate or change behavior of existing APIs, such >>>> that it has potentially high risk for Android WebView-based applications? >>>> *No information provided* >>>> >>>> >>>> *Debuggability* >>>> *No information provided* >>>> >>>> *Will this feature be supported on all six Blink platforms (Windows, >>>> Mac, Linux, ChromeOS, Android, and Android WebView)?* >>>> Yes >>>> Blink implements this feature on all platforms. On Android, requests >>>> are forwarded to the native Credential Manager API, where supporting >>>> password managers need to implement it separately. >>>> >>>> *Is this feature fully tested by web-platform-tests >>>> <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md>?* >>>> Yes >>>> >>>> https://wpt.fyi/results/webauthn/conditional-mediation.https.html?label=experimental&label=master&aligned >>>> >>>> *Flag name on about://flags* >>>> *No information provided* >>>> >>>> *Finch feature name* >>>> *No information provided* >>>> >>>> *Non-finch justification* >>>> *No information provided* >>>> >>>> *Rollout plan* >>>> Will ship enabled for all users >>>> >>>> *Requires code in //chrome?* >>>> False >>>> >>>> *Tracking bug* >>>> https://crbug.com/377758786 >>>> >>>> *Launch bug* >>>> https://launch.corp.google.com/launch/4373425 >>>> >>>> *Estimated milestones* >>>> Shipping on desktop 136 >>>> Shipping on Android 142 >>>> >>>> *Anticipated spec changes* >>>> >>>> Open questions about a feature may be a source of future web compat or >>>> interop issues. Please list open issues (e.g. links to known github issues >>>> in the project for the feature specification) whose resolution may >>>> introduce web compat/interop risk (e.g., changing to naming or structure >>>> of >>>> the API in a non-backward-compatible way). >>>> *No information provided* >>>> >>>> *Link to entry on the Chrome Platform Status* >>>> https://chromestatus.com/feature/5135710007590912?gate=5163515357429760 >>>> >>>> *Links to previous Intent discussions* >>>> Intent to Prototype: >>>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/67329059.2b0a0220.26ec07.069d.GAE%40google.com >>>> Ready for Trial: >>>> https://groups.google.com/a/chromium.org/g/blink-dev/c/XFJmqtQpMds/m/ipPKSS5ECQAJ >>>> >>>> >>>> This intent message was generated by Chrome Platform Status >>>> <https://chromestatus.com>. >>>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "blink-dev" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> To view this discussion visit >>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAB%3DfcEZ%3DRM9VMS_8eWedDh4ADOFq%3DF-imw5oTpTcW4YvvtR66w%40mail.gmail.com >>> >>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAB%3DfcEZ%3DRM9VMS_8eWedDh4ADOFq%3DF-imw5oTpTcW4YvvtR66w%40mail.gmail.com?utm_medium=email&utm_source=footer> >>> . >>> >> -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/a041dfcd-667d-4c3d-a78b-7a0204d53328n%40chromium.org.
