Would be nice to have, but not quite sure how to reliably test whether a request "would time out" without actually letting in time out. Ideas are welcome.

The only thing that comes to mind - setup a normal timeout test (like the one that verifies the timeout works) and issue all the requests that should definitely return NOT_ALLOWED_ERROR and verify the error wasn't returned until we deliberately trigger the timeout.

...basically, extending the existing timeout tests to cover all NOT_ALLOWED_ERROR cases. Beyond that I'm not sure what we could do.

Do you mean external/wpt/webauthn/createcredential-timeout.https.html? I am afraid I removed all the other timeout-based tests. Maybe we can let the Testing API fast-forward time somehow, but I will have to think about the details.

Oh, hm I guess I was thinking of the timeout unit tests here:
https://cs.chromium.org/chromium/src/content/browser/webauth/authenticator_impl_unittest.cc
Not quite the same thing..
Seems likely we could do this in browser tests. Not sure about layout tests.

Looked into this further and I don't think this is possible. Should we close this out?

Yeah, let's have unit tests with mockable time.