complete fix #671

index.bs

@@ -1007,7 +1007,7 @@ When this method is invoked, the user agent MUST execute the following algorithm
 
                 Issue: The foregoing step _may_ be incorrect, in that we are attempting to create |savedCredentialId|
                     here and use it later below, and we do not have a global in which to allocate a place for it. Perhaps this
-                    is good enough?
+                    is good enough?  addendum: [@jcjones feels the above step is likely good enough](https://github.com/w3c/webauthn/pull/665#discussion_r148130187).
 
                 1. [=list/For each=] credential descriptor |C| in |allowCredentialDescriptorList|,
                     [=set/append=] each value, if any, of <code>|C|.{{transports}}</code> to |distinctTransports|.
@@ -3189,9 +3189,10 @@ error.
 :: A single JSON string specifying a FIDO |appId|.
 
 : Client extension processing
-:: If {{PublicKeyCredentialRequestOptions/rpId}} is present, reject promise with a DOMException
-    whose name is "{{NotAllowedError}}", and terminate this algorithm.
-    Replace the calculation of |rpId| in Step 3 of [[#getAssertion]] with the
+:: If {{PublicKeyCredentialRequestOptions/rpId}} is present, return a DOMException
+    whose name is "{{NotAllowedError}}", and terminate this algorithm ([[#discover-from-external-source]]).
+
+    Otherwise, replace the calculation of |rpId| in Step 6 of [[#discover-from-external-source]] with the
     following procedure:  The client uses the value of |appid| to perform
     the AppId validation procedure (as defined by [[FIDO-APPID]]).  If valid,
     the value of |rpId| for all client processing should be replaced by the