w3c · MasterKale · Jul 11, 2024 · Jul 11, 2024 · Jul 11, 2024 · Jul 12, 2024
diff --git a/index.bs b/index.bs
@@ -1975,7 +1975,23 @@ a numbered step. If outdented, it (today) is rendered as a bullet in the midst o
 
             :   If the user exercises a user agent user-interface option to cancel the process,
             ::  [=set/For each=] |authenticator| in |issuedRequests| invoke the [=authenticatorCancel=] operation on |authenticator|
-                and [=set/remove=] |authenticator| from |issuedRequests|. Throw a "{{NotAllowedError}}" {{DOMException}}.
+                and [=set/remove=] |authenticator| from |issuedRequests|.
+
+                If the user agent is informing the user of an inability to continue the ceremony
+                due to missing {{AuthenticatorTransport/hybrid}} prerequisites,
+                throw a "{{HybridPrerequisitesError}}" {{DOMException}}.
+
+                If the user agent is prompting the user to complete the ceremony using an authenticator
+                that may be available over the {{AuthenticatorTransport/hybrid}} transport,
+                throw a "{{UserHybridCancellationError}}" {{DOMException}}.
+
+                If the user agent is informing the user that
+                the last used |authenticator| cannot collect [=user verification=] when
+                <code>|pkOptions|.{{PublicKeyCredentialCreationOptions/authenticatorSelection}}.{{AuthenticatorSelectionCriteria/userVerification}}</code>
+                is set to {{UserVerificationRequirement/required}},
+                throw a "{{UserVerificationError}}" {{DOMException}}.
+
+                Otherwise, throw a "{{UserCancellationError}}" {{DOMException}}.
 
             :   If <code>|options|.{{CredentialCreationOptions/signal}}</code> is present and [=AbortSignal/aborted=],
             ::  [=set/For each=] |authenticator| in |issuedRequests| invoke the [=authenticatorCancel=]
@@ -2244,7 +2260,7 @@ a numbered step. If outdented, it (today) is rendered as a bullet in the midst o
         </dl>
     </li>
 
-1. Throw a "{{NotAllowedError}}" {{DOMException}}. In order to prevent information leak that could identify the
+1. Throw a "{{TimeoutError}}" {{DOMException}}. In order to prevent information leak that could identify the
     user without [=user consent|consent=], this step MUST NOT be executed before |lifetimeTimer| has expired. See
     [[#sctn-make-credential-privacy]] for details.
 
@@ -2278,6 +2294,10 @@ The following {{DOMException}} exceptions can be raised:
     :   {{InvalidStateError}}
     ::  The authenticator used in the ceremony recognized an entry in {{PublicKeyCredentialCreationOptions/excludeCredentials}}
         after the user [=user consent|consented=] to registering a credential.
+
+    :   {{HybridPrerequisitesError}}
+    ::  The ceremony was cancelled due to missing prerequisites for use of
+        the {{AuthenticatorTransport/hybrid}} transport.
 
     :   {{NotSupportedError}}
     ::  No entry in {{PublicKeyCredentialCreationOptions/pubKeyCredParams}} had a {{PublicKeyCredentialDescriptor/type}} property of {{PublicKeyCredentialType/public-key}},
@@ -2294,10 +2314,21 @@ The following {{DOMException}} exceptions can be raised:
     :   {{UnknownError}}
     ::  The [=authenticator=] could not process the supplied options,
         or encountered an error while creating the new credential.
+
+    :   {{UserCancellationError}}
+    ::  The user has exercised a user agent user-interface option
+        to end the ceremony.
+
+    :   {{UserHybridCancellationError}}
+    ::  The user has exercised a user agent user-interface option
+        to end the ceremony while being prompted to complete a ceremony
+        via the {{AuthenticatorTransport/hybrid}} transport.
+
+    :   {{UserVerificationError}}
+    ::  The user was unable to complete [=user verification=] as required by the [=[RP]=].
 
     :   {{NotAllowedError}}
-    ::  A catch-all error covering a wide range of possible reasons,
-        including common ones like the user canceling out of the ceremony.
+    ::  A catch-all error covering a wide range of possible reasons.
         Some of these causes are documented throughout this spec,
         while others are client-specific.
 
@@ -2519,7 +2550,23 @@ When this method is invoked, the user agent MUST execute the following algorithm
 
         :   If the user exercises a user agent user-interface option to cancel the process,
         ::  [=set/For each=] |authenticator| in |issuedRequests| invoke the [=authenticatorCancel=] operation on |authenticator|
-            and [=set/remove=] |authenticator| from |issuedRequests|. Throw a "{{NotAllowedError}}" {{DOMException}}.
+            and [=set/remove=] |authenticator| from |issuedRequests|.
+
+            If the user agent is informing the user of an inability to continue the ceremony
+            due to missing {{AuthenticatorTransport/hybrid}} prerequisites,
+            throw a "{{HybridPrerequisitesError}}" {{DOMException}}.
+
+            If the user agent is prompting the user to complete the ceremony using an authenticator
+            that may be available over the {{AuthenticatorTransport/hybrid}} transport,
+            throw a "{{UserHybridCancellationError}}" {{DOMException}}.
+
+            If the user agent is informing the user that
+            the last used |authenticator| cannot collect [=user verification=] when
+            <code>|pkOptions|.{{PublicKeyCredentialCreationOptions/authenticatorSelection}}.{{AuthenticatorSelectionCriteria/userVerification}}</code>
+            is set to {{UserVerificationRequirement/required}},
+            throw a "{{UserVerificationError}}" {{DOMException}}.
+
+            Otherwise, throw a "{{UserCancellationError}}" {{DOMException}}.
 
         :   If <code>|options|.{{CredentialRequestOptions/signal}}</code> is present and [=AbortSignal/aborted=],
         ::  [=set/For each=] |authenticator| in |issuedRequests| invoke the [=authenticatorCancel=] operation on |authenticator|
@@ -2698,7 +2745,7 @@ When this method is invoked, the user agent MUST execute the following algorithm
             1.  Return |constructAssertionAlg| and terminate this algorithm.
     </dl>
 
-1. Throw a "{{NotAllowedError}}" {{DOMException}}. In order to prevent information leak that could identify the
+1. Throw a "{{TimeoutError}}" {{DOMException}}. In order to prevent information leak that could identify the
     user without [=user consent|consent=], this step MUST NOT be executed before |lifetimeTimer| has expired. See
     [[#sctn-assertion-privacy]] for details.
 
@@ -2846,6 +2893,10 @@ The following {{DOMException}} exceptions can be raised:
     ::  The ceremony was cancelled by an {{AbortController}}.
         See [[#sctn-abortoperation]] and [[#sctn-sample-aborting]].
 
+    :   {{HybridPrerequisitesError}}
+    ::  The ceremony was cancelled due to missing prerequisites for use of
+        the {{AuthenticatorTransport/hybrid}} transport.
+
     :   {{SecurityError}}
     ::  The [=effective domain=] was not a [=valid domain=],
         or <code>{{PublicKeyCredentialCreationOptions/rp}}.{{PublicKeyCredentialRpEntity/id}}</code> was not equal to or a registrable domain suffix of the [=effective domain=].
@@ -2857,10 +2908,21 @@ The following {{DOMException}} exceptions can be raised:
     :   {{UnknownError}}
     ::  The [=authenticator=] could not process the supplied options,
         or encountered an error while generating an [=assertion signature=].
+
+    :   {{UserCancellationError}}
+    ::  The user has exercised a user agent user-interface option
+        to end the ceremony.
+
+    :   {{UserHybridCancellationError}}
+    ::  The user has exercised a user agent user-interface option
+        to end the ceremony while being prompted to complete a ceremony
+        via the {{AuthenticatorTransport/hybrid}} transport.
+
+    :   {{UserVerificationError}}
+    ::  The user was unable to complete [=user verification=] as required by the [=[RP]=].
 
     :   {{NotAllowedError}}
-    ::  A catch-all error covering a wide range of possible reasons,
-        including common ones like the user canceling out of the ceremony.
+    ::  A catch-all error covering a wide range of possible reasons.
         Some of these causes are documented throughout this spec,
         while others are client-specific.
 </dl>
@@ -3726,6 +3788,34 @@ SHOULD be aborted.
     See [WHATWG HTML WG Issue #2711](https://github.com/whatwg/html/issues/2711) for more details.
 
 
+## WebAuthn Interfaces ## {#sctn-interfaces}
+
+The subection below defines custom interfaces used throughout WebAuthn.
+
+### Custom WebAuthn Exceptions ### {#iface-custom-webauthn-exceptions}
+
+For descriptions of these exceptions,
+please see [[#sctn-create-request-exceptions]] and [[#sctn-get-request-exceptions]].
+
+<xmp class="idl">
+[Exposed=Window, Serializable]
+interface HybridPrerequisitesError : DOMException {
+};
+
+[Exposed=Window, Serializable]
+interface UserCancellationError : DOMException {
+};
+
+[Exposed=Window, Serializable]
+interface UserHybridCancellationError : DOMException {
+};
+
+[Exposed=Window, Serializable]
+interface UserVerificationError : DOMException {
+};
+</xmp>
+
+
 ## WebAuthn Extensions Inputs and Outputs ## {#sctn-extensions-inputs-outputs}
 
 The subsections below define the data types used for conveying [=WebAuthn extension=] inputs and outputs.