Make user mediation implicit and always required

[mohamedamir]

This change simplifies the Digital Credentials API by making user mediation an implicit, non-overridable behavior.

Currently, the specification requires developers to explicitly set mediation: 'required' for get() and create() calls. This adds unnecessary boilerplate.

With this change:

• User mediation is always performed as if mediation: 'required' were specified.
• The mediation parameter in CredentialRequestOptions and CredentialCreationOptions is ignored.
• No error is thrown if the mediation member is absent or has another value.

This simplifies the API for developers and aligns with the goal of making required mediation the default, non-overridable behavior.

Closes #177
Closes #384

The following tasks have been completed:

• Modified Web platform tests (link)

Implementation commitment:

• WebKit (link to issue)
• Chromium (link to issue)
• Gecko (link to issue)

Documentation and checks

• Affects privacy
• Affects security
• Pinged MDN
• Updated Explainer
• Updated digitalcredentials.dev

---

Preview | Diff

[marcoscaceres]

Although I agree with this behavior, I think it should be defaulted by the CredMan spec instead. So we would register the default there instead. That follows the convention already set forth in the underlying spec.

[mohamedamir]

Although I agree with this behavior, I think it should be defaulted by the CredMan spec instead. So we would register the default there instead. That follows the convention already set forth in the underlying spec.

@marcoscaceres
But as we discussed, this will complicate both the CredMan spec and the implementation in the browsers, and it's better to avoid that for simplicity.
Did I get it wrong?

[marcoscaceres]

Did I get it wrong?

No, absolutely not. Right, I see now more clearly what you are going for! I'm worried were are "monkey patching" though, which we should avoid.

What I'm trying to figure out is how do we handle this in Cred Man if we need to (i.e., just looking at all options).

[mohamedamir]

What I'm trying to figure out is how do we handle this in Cred Man if we need to (i.e., just looking at all options).

Sure, sounds good.

Looking at the get() algorithm of CredMan, it seems the to be fine, we aren't actually overriding anything.
One observation though is that in Step 13.4, Silent mediation is explicitly prohibited, so it should be impossible to reach the DiscoverFromExternalSources() with silent mediation.
Not sure if this should impact the words in this PR though.

Another observation is Step 13.9 conditional mediation with null credentials isn't resolved.

Having said that, CredMan spec doesn't impose any constraints on the DiscoverFromExternalSources() method and hence I believe it's fine to ignore mediation there.

So I don't think there is anything to be done at the CredMan level.

WDYT?

[Copilot]

Pull Request Overview

This PR simplifies the Digital Credentials API by making user mediation implicit and always required, removing the need for developers to explicitly specify mediation: 'required'. The change eliminates the requirement to set the mediation parameter and prevents TypeErrors from being thrown when it's absent or set to other values, making the API more developer-friendly while maintaining user control.

Key changes:

• User mediation is now always performed as if mediation: 'required' were specified
• The mediation parameter is ignored rather than validated
• User agents must not throw TypeError for absent or non-required mediation values

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[marcoscaceres]

With the suggested change, this seems good.