Update SPC spec to reflect that credential create in cross-origin iframe is now allowed in WebAuthn

[stephenmcgruer]

Currently the 'payment' extension is specified to allow credential creation in a cross-origin iframe:

1. Modify step 2 (the check for sameOriginWithAncestors) as follows:

    - If sameOriginWithAncestors is false:

        - If the [relevant global object](https://html.spec.whatwg.org/multipage/webappapis.html#concept-relevant-global), as determined by the calling [create()](https://w3c.github.io/webappsec-credential-management/#dom-credentialscontainer-create) implementation, does not have [transient activation](https://html.spec.whatwg.org/multipage/interaction.html#transient-activation):

            - Return a [DOMException](https://webidl.spec.whatwg.org/#idl-DOMException) whose name is "[SecurityError](https://webidl.spec.whatwg.org/#securityerror)", and terminate this algorithm.

    - [Consume user activation](https://html.spec.whatwg.org/multipage/interaction.html#consume-user-activation) of the [relevant global object](https://html.spec.whatwg.org/multipage/webappapis.html#concept-relevant-global).

Source

This uses the payment permission policy (source).

However, as of https://github.com/w3c/webauthn/pull/1801, this behavior is now in the WebAuthn spec itself:

2. If sameOriginWithAncestors is false:

    - If the [relevant global object](https://html.spec.whatwg.org/multipage/webappapis.html#concept-relevant-global), as determined by the calling [create()](https://w3c.github.io/webappsec-credential-management/#dom-credentialscontainer-create) implementation, does not have [transient activation](https://html.spec.whatwg.org/multipage/interaction.html#transient-activation):

        - Throw a "[NotAllowedError](https://webidl.spec.whatwg.org/#notallowederror)" [DOMException](https://webidl.spec.whatwg.org/#idl-DOMException).

    - [Consume user activation](https://html.spec.whatwg.org/multipage/interaction.html#consume-user-activation) of the [relevant global object](https://html.spec.whatwg.org/multipage/webappapis.html#concept-relevant-global).

Source

As such, we can now remove the text from SPC. However, there's a slight hitch. Spot the difference between the above two bits of spec text?

If there isn't a transient activation, SPC throws a SecurityError DOMException. But WebAuthn throws a NotAllowedError.

So, we have a small web compat issue here. We should confirm with known SPC implementors if they are handling a SecurityError specifically during credential creation, and if changing it to NotAllowedError would break them.