311725 2026-04-08 05:16:44 -0700 CredentialsContainer::get(): credential type combination check is incomplete — only validates publicKey and digital 2026-04-08 05:21:21 -0700 1 1 1 Unclassified WebKit WebCore Misc. WebKit Local Build Unspecified Unspecified NEW InRadar P2 Normal --- 310788 1 marcosc webkit-unassigned webkit-bug-importer oldest_to_newest 2197951 0 marcosc 2026-04-08 05:16:44 -0700 The combination check added in bug 310788 (PR #62231) only validates publicKey/digital combinations. It does not correctly handle combinations involving password, federated, identity, or otp. Per https://github.com/w3c/webappsec-credential-management/pull/261, the registry defines "Types allowed in the same get() request": digital → empty (cannot mix with any other type) federated → password only identity → empty otp → empty password → federated only publicKey → empty The spec algorithm says (verbatim): "If |type1|'s types allowed in the same get() request doesn't contain |type2|, then return a promise rejected with a NotSupportedError DOMException." Current bugs: 1. { publicKey: {...}, password: true } — should NotSupportedError, but currently passes and silently ignores password. 2. { digital: {...}, password: true } — same problem. 3. { password: true, federated: {...} } — valid combo per spec, but we reject with "Missing request type" since we only look for publicKey/digital. 4. { password: true } alone — valid (if unimplemented) type, but we reject with "Missing request type". Fix: validate all combinations against the registry table. For unimplemented types (password, federated, identity, otp), return null rather than "Missing request type". 2197952 1 webkit-bug-importer 2026-04-08 05:16:50 -0700 <rdar://problem/174313024>