Require extractable=false for KDF import

components/webcrypto/algorithms/hkdf.cc

Index: components/webcrypto/algorithms/hkdf.cc
diff --git a/components/webcrypto/algorithms/hkdf.cc b/components/webcrypto/algorithms/hkdf.cc
index 6b22d248989e80e826fef5170d1a37f8f05d57e6..b2ce2bec354d54fa0e69c5c3c4ec1607c5e1f1b5 100644
--- a/components/webcrypto/algorithms/hkdf.cc
+++ b/components/webcrypto/algorithms/hkdf.cc
@@ -52,6 +52,9 @@ class HkdfImplementation : public AlgorithmImplementation {
     if (status.IsError())
       return status;
 
+    if (extractable)
+      return Status::ErrorImportExtractableKdfKey();
+
     return CreateWebCryptoSecretKey(
         key_data, blink::WebCryptoKeyAlgorithm::createWithoutParams(
                       blink::WebCryptoAlgorithmIdHkdf),
@@ -102,6 +105,10 @@ class HkdfImplementation : public AlgorithmImplementation {
                                 blink::WebCryptoKeyUsageMask usages,
                                 const CryptoData& key_data,
                                 blink::WebCryptoKey* key) const override {
+    // NOTE: Unlike ImportKeyRaw(), this does not enforce extractable==false.
+    // This is intentional. Although keys cannot currently be created with
+    // extractable==true, earlier implementations permitted this, so
+    // de-serialization by structured clone should not reject them.
     return CreateWebCryptoSecretKey(key_data, algorithm, extractable, usages,
                                     key);
   }