WebCrypto parameters are built in C++ code right before using them, so there is no opportunity for an attacker to pass a wrong one form JS. But there is so much code dealing with them that there is a lot of opportunities to make a typo.
Created attachment 216825 [details] proposed patch
Committed <http://trac.webkit.org/r159213>.