w3c · nsatragno · Dec 6, 2021 · Feb 18, 2021 · Oct 18, 2021 · Oct 24, 2021
diff --git a/index.bs b/index.bs
@@ -286,6 +286,7 @@ spec:css-syntax-3;
     interface Credential {
       readonly attribute USVString id;
       readonly attribute DOMString type;
+      static boolean isConditionalMediationAvailable();
     };
   </pre>
   <div dfn-for="Credential">
@@ -297,6 +298,22 @@ spec:css-syntax-3;
     ::  This attribute's getter returns the value of the object's [=interface object=]'s
         {{[[type]]}} slot, which specifies the [=credential type=] represented by this object.
 
+    :   <dfn method>isConditionalMediationAvailable()</dfn>
+    ::  Returns `true` if and only if the user agent supports the
+        {{CredentialMediationRequirement/conditional}} approach to
+        [[#mediation-requirements|mediation of credential requests]] for the [=credential type=],
+        `false` otherwise.
+
+        {{Credential}}'s default implementation of {{Credential/isConditionalMediationAvailable()}}:
+
+        <ol class="algorithm">
+            1.  Return `false`.
+        </ol>
+
+        The specification for any [=credential type=] supporting {{CredentialMediationRequirement/conditional}} mediation must explicitly override this function to return `true`. 
+        Note: If this function is not present, {{CredentialMediationRequirement/conditional}}
+        mediation is not supported for the [=credential type=].
+
     :   <dfn attribute>\[[type]]</dfn>
     ::  The {{Credential}} [=interface object=] has an internal slot named `[[type]]`, which
         unsurprisingly contains a string representing the <dfn>credential type</dfn>. The slot's value
@@ -609,6 +626,7 @@ spec:css-syntax-3;
     enum CredentialMediationRequirement {
       "silent",
       "optional",
+      "conditional",
       "required"
     };
   </pre>
@@ -633,6 +651,24 @@ spec:css-syntax-3;
         a user has just clicked "sign-in" for example, then they won't be surprised or confused to
         see a [=credential chooser=] if necessary.
 
+    :   <dfn>conditional</dfn>
+    ::  Discovered credentials are presented to the user in a non-modal dialog along with an
+        indication of the origin which is requesting credentials. If the user makes a gesture
+        outside of the dialog, the dialog closes without having the {{CredentialsContainer/get()}}
+        method return to the caller and without causing a user-visible error condition. If the user
+        makes a gesture that selects a credential, that credential is returned to the caller.  The
+        [=prevent silent access flag=] is treated as being `true` regardless of its actual value:
+        the {{CredentialMediationRequirement/conditional}} behavior always involves [=user
+        mediation=] of some sort if applicable credentials are discovered.
+
+        If no credentials are discovered, the user agent MAY prompt the user to take action in a way
+        that depends on the type of credential (e.g. to insert a device containing credentials).
+        Either way, the `get()` method MUST NOT return immediately with `null` to avoid revealing
+        the lack of applicable credentials to the website.
+
+        Websites can discover the availability of {{CredentialMediationRequirement/conditional}}
+        mediation by querying {{Credential/isConditionalMediationAvailable()}} for the [=credential type=] of interest.
+
     :   <dfn>required</dfn>
     ::  The user agent will not hand over credentials without [=user mediation=], even if the
         [=prevent silent access flag=] is unset for an origin.
@@ -801,6 +837,9 @@ spec:css-syntax-3;
             4.  |options|.{{CredentialRequestOptions/mediation}} is not
                 "{{CredentialMediationRequirement/required}}".
 
+            5.  |options|.{{CredentialRequestOptions/mediation}} is not
+                "{{CredentialMediationRequirement/conditional}}".
+
             ISSUE: This might be the wrong model. It would be nice to support a site that wished
             to accept either username/passwords or webauthn-style credentials without forcing
             a chooser for those users who use the former, and who wish to remain signed in.
@@ -812,18 +851,24 @@ spec:css-syntax-3;
         5.  Let |choice| be the result of <a abstract-op lt="ask to choose">asking the user to
             choose a `Credential`</a>, given |options| and |credentials|.
 
-        6.  If |choice| is `null` or a {{Credential}}, [=resolve=] |p| with |choice| and skip the
-            remaining steps.
+        6.  If |choice| is `null` or a {{Credential}}, let |result| be |choice| and go to step 9.
 
         7.  Assert: |choice| is an [=interface object=].
 
         8.  Let |result| be the result of executing |choice|'s
             {{[[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors)}},
             given |origin|, |options|, and |sameOriginWithAncestors|.
 
-        9.  If |result| is a {{Credential}} or `null`, resolve |p| with |result|.
+        9.  If |result| is a {{Credential}}, [=resolve=] |p| with |result|.
+
+        10. If |result| is an [=exception=], [=reject=] |p| with |result|.
 
-            Otherwise, [=reject=] |p| with |result|.
+        11. If |result| is `null` and |options|.{{CredentialRequestOptions/mediation}} is not
+            {{CredentialMediationRequirement/conditional}}, [=resolve=] |p| with |result|.
+
+            Note: if |options|.{{CredentialRequestOptions/mediation}} is
+            {{CredentialMediationRequirement/conditional}} and a `null` credential is discovered,
+            promise |p| is not resolved.
 
     7.  Return |p|.
   </ol>
@@ -2120,7 +2165,7 @@ spec:css-syntax-3;
         value is "{{Credential/[[discovery]]/credential store}}".
       </div>
 
-  4.  Extend {{CredentialRequestOptions}} with the options the new credential type needs to respond
+  5.  Extend {{CredentialRequestOptions}} with the options the new credential type needs to respond
       reasonably to {{get()}}:
 
       <div class="example">
@@ -2135,7 +2180,7 @@ spec:css-syntax-3;
         </pre>
       </div>
 
-  5.  Extend {{CredentialCreationOptions}} with the data the new credential type needs to create
+  6.  Extend {{CredentialCreationOptions}} with the data the new credential type needs to create
       `Credential` objects in response to {{create()}}:
 
       <div class="example">
@@ -2150,6 +2195,9 @@ spec:css-syntax-3;
         </pre>
       </div>
 
+  7.  If the new credential type supports {{CredentialMediationRequirement/conditional}} [=user
+      mediation=], overload {{Credential/isConditionalMediationAvailable()}} and return `true`.
+
   You might also find that new primitives are necessary. For instance, you might want to return
   many {{Credential}} objects rather than just one in some sort of complicated, multi-factor
   sign-in process. That might be accomplished in a generic fashion by adding a `getAll()` method to