design-reviews#1213: Question: Capability Delegation stalled -- specs are implementing local workarounds

#1213: Question: Capability Delegation stalled -- specs are implementing local workarounds

Opened

Mar 30, 2026

In 2021 the TAG reviewed Capability Delegation (#655) and closed it as satisfied. The work was expected to move to WHATWG. It hasn't. The last commit to the WICG repo is February 2023, and the upstreaming issue (WICG/capability-delegation#40) has had no activity.

In the absence of a general solution, specs are now solving the redirect-breaks-activation problem independently:

Payment Request weakened the show() activation requirement from a hard requirement to a MAY in PR #1009 (June 2023), with security mitigations left to implementer discretion.
Digital Credentials is now proposing a freebie counter that allows one activation-free credential request per global object, citing Payment Request as precedent.

Each spec is solving this locally, inconsistently, and in ways that are exploitable (the DC counter is bypassable via iframes and back/forward navigation). The precedent chain is accumulating.

This is directly relevant to the TAG's finding on preventing credential abuse, which warns against normalizing credential requests by reducing friction.

We have filed a PR on Payment Request to restore the hard requirement and replace it with a note pointing to the open problem, and a comment on the DC PR making the same case.

The question: Is there anything the TAG can do to help move Capability Delegation forward -- whether that means pushing for WHATWG uptake, issuing a finding that names the pattern and blocks per-spec workarounds, or something else? The problem is real and the gap is now producing concrete harm in multiple specs.

Track conversations at https://tag-github-bot.w3.org/gh/w3ctag/design-reviews/1213

Discussions

Comment by @yoavweiss Mar 30, 2026 (See Github)

^^ @mustaqahmed

Discussed Apr 6, 2026 (See Github)

Jeffrey: Capability delegation... it is discussed in Eurasia breakout. What should we do with it? Marcos was complaining people are not doing work but it is not much we can do as TAG. It seems we all agree to have a consistent design for this problem.

Heather: I am motivated to see the results. Do we have any relation with WhatWG chairs?

JEffrey: there are now WHATWG chairs. ??? is the person working on this. We can say we think it should continue.

Heather: Yes

Jeffrey: I think we can comment that in the review.

Matthew: I was very itnerested into the decribtion by Marcos yesterday. He was saying there are some solutions for this, and most of it was not ideal. We don't want to see many of those solutions got accepted.

JEffrey: we can say freebe for new iframes is bad.

Matthew: ???

Heather: I have no objection for that. It will have some issue with the webAuthn. This might mean if there is no here, then it will be no to WebAuthn either.

Jeffrey: Draft comment:

We discussed this in two breakouts, and the TAG agrees that we'd like work to continue on Capability Delegation to act as infrastructure for these several related areas.

We agree with @marcoscaceres that we see potential abuse if each new iframe gets a call without activation. We think that WebAuthn needs to reconsider its design if it's open to this abuse.

Jeffrey: no objection to it so I will put it. Also, we need volunteer to refer to the specs affected. Marcos?

Heather: Maybe not Marcos.

Jeffrey: HEather do you want to be there?

Comment by @jyasskin Apr 10, 2026 (See Github)

We discussed this in two breakouts, and the TAG agrees that we'd like work to continue on Capability Delegation to act as infrastructure for these several related areas.

We agree with @marcoscaceres that we see potential abuse if each new iframe gets a call without activation. We think that WebAuthn needs to reconsider its design if it's open to this abuse.