webauthn: error immediately if user denies consent for direct attestation

https://w3c.github.io/webauthn/#sec-assertion-privacy says that we
should be careful that sites can't probe information about
authenticators.

In this case the user has touched an authenticator for a registration
but denied consent to supply direct attestation information. Currently
we let the registration timeout. But with this change we'll return an
error to the site immediately.

Change-Id: Icccbdb4f3b56824d2ea5114e7edae4db988f36f9
Reviewed-on: https://chromium-review.googlesource.com/978951Reviewed-by: Balazs Engedy <engedy@chromium.org>
Commit-Queue: Adam Langley <agl@chromium.org>
Cr-Commit-Position: refs/heads/master@{#545834}

content/browser/webauth/authenticator_impl.cc

@@ -590,9 +590,9 @@ void AuthenticatorImpl::OnRegisterResponseAttestationDecided(
          webauth::mojom::AttestationConveyancePreference::NONE);
 
   if (!attestation_permitted) {
-    // To protect users from being identified without consent, we let the
-    // timeout run out.
-    // See https://w3c.github.io/webauthn/#sec-assertion-privacy.
+    InvokeCallbackAndCleanup(
+        std::move(make_credential_response_callback_),
+        webauth::mojom::AuthenticatorStatus::NOT_ALLOWED_ERROR, nullptr);
     return;
   }