The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/54e157ee6d142e724c0f2bdfe8d54644bb583781

commit 54e157ee6d142e724c0f2bdfe8d54644bb583781
Author: Adam Langley <agl@chromium.org>
Date: Fri Feb 02 18:50:36 2018

webauthn: implement AttestationConveyancePreference.

AttestationConveyancePreference allows an RP to declare whether or not
they are interested in attestation information. If not (which is the
default), it is replaced with a “none” attestation.

The option for ”indirect” attestation is currently implemented in the
same way as “direct” since we are not currently planning on standing up
a Privacy CA for this.

The AAGUID is not zeroed out because, for U2F devices, the AAGUID is
created by Chrome and is always zero. When we support CTAP2 devices this
will have to be addressed.

(The URLs in the comments here might not actually work yet. They are
written assuming that https://github.com/w3c/webauthn/pull/741 lands,
which should happen within a week or two.)

Bug:  803829 
Change-Id: Id701349ea2ec999b40a592cc94b1535818c25e78
Reviewed-on: https://chromium-review.googlesource.com/895387
Reviewed-by: Mike West <mkwst@chromium.org>
Reviewed-by: Kim Paulhamus <kpaulhamus@chromium.org>
Reviewed-by: Jan Wilken Dörrie <jdoerrie@chromium.org>
Reviewed-by: Balazs Engedy <engedy@chromium.org>
Commit-Queue: Adam Langley <agl@chromium.org>
Cr-Commit-Position: refs/heads/master@{#534110}
[modify] https://crrev.com/54e157ee6d142e724c0f2bdfe8d54644bb583781/content/browser/webauth/authenticator_impl.cc
[modify] https://crrev.com/54e157ee6d142e724c0f2bdfe8d54644bb583781/content/browser/webauth/authenticator_impl.h
[modify] https://crrev.com/54e157ee6d142e724c0f2bdfe8d54644bb583781/device/u2f/attestation_object.cc
[modify] https://crrev.com/54e157ee6d142e724c0f2bdfe8d54644bb583781/device/u2f/attestation_object.h
[modify] https://crrev.com/54e157ee6d142e724c0f2bdfe8d54644bb583781/device/u2f/attestation_statement.cc
[modify] https://crrev.com/54e157ee6d142e724c0f2bdfe8d54644bb583781/device/u2f/attestation_statement.h
[modify] https://crrev.com/54e157ee6d142e724c0f2bdfe8d54644bb583781/device/u2f/register_response_data.cc
[modify] https://crrev.com/54e157ee6d142e724c0f2bdfe8d54644bb583781/device/u2f/register_response_data.h
[modify] https://crrev.com/54e157ee6d142e724c0f2bdfe8d54644bb583781/third_party/WebKit/Source/modules/credentialmanager/CredentialManagerTypeConverters.cpp
[modify] https://crrev.com/54e157ee6d142e724c0f2bdfe8d54644bb583781/third_party/WebKit/Source/modules/credentialmanager/MakePublicKeyCredentialOptions.idl
[modify] https://crrev.com/54e157ee6d142e724c0f2bdfe8d54644bb583781/third_party/WebKit/public/platform/modules/webauth/authenticator.mojom

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/85339f6516a0e93e0ee05e9bfd8e1066db4374a9

commit 85339f6516a0e93e0ee05e9bfd8e1066db4374a9
Author: Adam Langley <agl@chromium.org>
Date: Mon Feb 12 22:03:56 2018

webauthn: prompt for attestation permission when needed.

This change implements a user consent prompt before returning
attestation information from a device. (Thus making webauthn act like
U2F currently does.) Unlike U2F, however, it is a fatal error if a user
denies consent, as required by the spec.

The attestation behavior is also affected by the
SecurityKeyPermitAttestation[1] enterprise policy. This list can contain
either U2F AppIDs (which are full URLs) or webauthn RP IDs (which are
domains). Its affect on attestation is detailed in the following table:

"attestation" value | RP ID not listed in policy | RP ID listed
--------------------+----------------------------+---------------------
"none" / not given  | Empty, "none" attestation  | Empty, "none"
                    | returned.                  | attesation returned.
--------------------+----------------------------+---------------------
"indirect"/"direct" | User prompted for consent. | Attestation from
                    | If granted, attestation    | device is returned.
                    | from device is returned.   |
                    | Otherwise a permission     |
                    | error is generated.        |

(The behavior of "indirect" attestation in webauthn may change in the
future but, for now, it is identical to "direct".)

[1] https://www.chromium.org/administrators/policy-list-3#SecurityKeyPermitAttestation

Bug:  803829 ,793985
Change-Id: I4e1d15a93ebc067869df7656016990b29fe12b59
Reviewed-on: https://chromium-review.googlesource.com/900452
Reviewed-by: Timothy Loh <timloh@chromium.org>
Reviewed-by: Nasko Oskov <nasko@chromium.org>
Reviewed-by: Balazs Engedy <engedy@chromium.org>
Reviewed-by: Kim Paulhamus <kpaulhamus@chromium.org>
Commit-Queue: Adam Langley <agl@chromium.org>
Cr-Commit-Position: refs/heads/master@{#536206}
[modify] https://crrev.com/85339f6516a0e93e0ee05e9bfd8e1066db4374a9/chrome/browser/BUILD.gn
[modify] https://crrev.com/85339f6516a0e93e0ee05e9bfd8e1066db4374a9/chrome/browser/chrome_content_browser_client.cc
[modify] https://crrev.com/85339f6516a0e93e0ee05e9bfd8e1066db4374a9/chrome/browser/chrome_content_browser_client.h
[modify] https://crrev.com/85339f6516a0e93e0ee05e9bfd8e1066db4374a9/chrome/browser/extensions/api/cryptotoken_private/cryptotoken_private_api.cc
[add] https://crrev.com/85339f6516a0e93e0ee05e9bfd8e1066db4374a9/chrome/browser/permissions/attestation_permission_request.cc
[add] https://crrev.com/85339f6516a0e93e0ee05e9bfd8e1066db4374a9/chrome/browser/permissions/attestation_permission_request.h
[modify] https://crrev.com/85339f6516a0e93e0ee05e9bfd8e1066db4374a9/content/browser/webauth/authenticator_impl.cc
[modify] https://crrev.com/85339f6516a0e93e0ee05e9bfd8e1066db4374a9/content/browser/webauth/authenticator_impl.h
[modify] https://crrev.com/85339f6516a0e93e0ee05e9bfd8e1066db4374a9/content/public/browser/content_browser_client.cc
[modify] https://crrev.com/85339f6516a0e93e0ee05e9bfd8e1066db4374a9/content/public/browser/content_browser_client.h