I'll try to reproduce this. It's the second report I've seen about `requireUserMediation()` not working, so there's got to be something there.

Investigating this uncovered an issue in `body` processing: https://codereview.chromium.org/1862293003 resolves the 403 errors thrown by `/register`. Still no luck reproducing the core of the issue, though, agektmr@.

I have reproduced the issue.

Revised steps :
(1) go to https://legacy-cma-dot-credential-management-sample.appspot.com/
(2) Register yourself using fake id/password
(3) Sign out
(4) Sign in
(5) Sign out

At step (3), the credential is stored without any consents or bubble.
At step (4), id/password will be auto filled.
After (5), the user will be automatically signed in.

Eiji seems to be seeing this sporadically. I haven't been able to reproduce it on Linux. Christos (CC'd), can no longer reproduce a similar-sounding issue he saw on Chrome OS.

I'll poke at it a bit today on Mac to see if I can make it show up there.

I have started to see this behavior again following the steps I have raised on comment #3 OR:
(0) remove id/password at chrome://settings/passwords
(1) go to https://legacy-cma-dot-credential-management-sample.appspot.com/
(2) Sign in using form
(3) Sign out
(4) Sign in
(5) Sign out

Can you please check?

I don't believe this is happening in Chrome today. I poked at it again this morning, and was not able to reproduce. Please reopen the bug if you're still seeing this, Eiji!