Contact emailssmcgr...@chromium.org Specificationhttps://www.w3.org/TR/payment-request/#show-method
Summary Allowing PaymentRequest.show() to be triggered without a user activation could be abused by malicious websites. To protect users, the spec was changed to require user activation, and we are now following through in the Chrome implementation. Plan is to deprecate in M98 and remove in M99. We may push the M99 date to M100 based on compat risk; see below. Blink componentBlink>Payments <https://bugs.chromium.org/p/chromium/issues/list?q=component:Blink%3EPayments> TAG reviewN/A - enforcement of feature from an already-reviewed specification TAG review statusPending Risks Interoperability and Compatibility Interoperability: no risk. Firefox has not shipped PaymentRequest at all, whilst Safari's implementation already requires user activation for calling show(). Compatibility: the main risk. If a website is calling PaymentRequest.show() without a user activation today, it will stop working. If that website doesn't have fallback code to use another payments flow, it may lead to a broken purchase experience for the user. Due to this risk, we added a UseCounter, kPaymentRequestShowWithoutGesture, which tracks use of the feature. Although hits on the UseCounter have reduced significantly since 2019*, there is still non-zero usage which is growing slowly over time. We believe the growth to be related to the general increase of web payments, rather than an expanded number of sites. To tackle the remaining usage, we have performed a UKM analysis, and identified the primary remaining site. We are in contact with them, and expect them to roll out a fix in the coming weeks - after which we will revisit the numbers and this thread. * https://chromestatus.com/metrics/feature/timeline/popularity/2398 Gecko: In development (https://bugzilla.mozilla.org/show_bug.cgi?id=1445138) WebKit: Shipped/Shipping (https://bugs.webkit.org/show_bug.cgi?id=179056) Web developers: No signals Other signals: Debuggability As we are treating this as a deprecation, we intend to use the issues tab (as per the checklist) to warn developers of the upcoming removal. Once the support is removed, calling show() will throw a SecurityError with a clear error message. Is this feature fully tested by web-platform-tests <https://chromium.googlesource.com/chromium/src/+/master/docs/testing/web_platform_tests.md> ?Yes - https://wpt.fyi/results/payment-request/show-consume-activation.https.html?label=experimental&label=master&aligned Requires code in //chrome?False Tracking bughttps://crbug.com/825270 Estimated milestones Deprecate in M98, remove in M99 or M100 (compat risk depending). Link to entry on the Chrome Platform Status https://chromestatus.com/feature/5948593429020672 Links to previous Intent discussionsIntent to prototype: https://groups.google.com/u/1/a/chromium.org/g/blink-dev/c/2PhPgk_k9a0/m/alO4yt_HBQAJ Intent to Experiment: https://groups.google.com/u/1/a/chromium.org/g/blink-dev/c/i6pAWsjU7zg/m/CzqgcGAXAwAJ - This is a bit of a strange case, where we initially believed that we needed Capability Delegation to support deprecating this feature. However, the partner who needed that ability has instead solved their problem in a different way. As such, we believe it safe to require user activation for show() calls *without* Capability Delegation being available. This intent message was generated by Chrome Platform Status <https://www.chromestatus.com/> and hand edited by smcgruer@. -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CADY3Mae4RVpVxnjMS8oJ7WE7yOtAiqqa79%3D8v%2ByNf2XhCtHWgg%40mail.gmail.com.
