On Wed, Dec 1, 2021 at 4:43 PM Stephen Mcgruer <smcgr...@chromium.org> wrote:
> Contact emailssmcgr...@chromium.org > > Specificationhttps://www.w3.org/TR/payment-request/#show-method > > Summary > > Allowing PaymentRequest.show() to be triggered without a user activation > could be abused by malicious websites. To protect users, the spec was > changed to require user activation, and we are now following through in the > Chrome implementation. > > > Plan is to deprecate in M98 and remove in M99. We may push the M99 date to > M100 based on compat risk; see below. > > Blink componentBlink>Payments > <https://bugs.chromium.org/p/chromium/issues/list?q=component:Blink%3EPayments> > > TAG reviewN/A - enforcement of feature from an already-reviewed > specification > > TAG review statusPending > > Risks > Interoperability and Compatibility > > Interoperability: no risk. Firefox has not shipped PaymentRequest at all, > whilst Safari's implementation already requires user activation for calling > show(). Compatibility: the main risk. If a website is calling > PaymentRequest.show() without a user activation today, it will stop > working. If that website doesn't have fallback code to use another payments > flow, it may lead to a broken purchase experience for the user. Due to this > risk, we added a UseCounter, kPaymentRequestShowWithoutGesture, which > tracks use of the feature. Although hits on the UseCounter have reduced > significantly since 2019*, there is still non-zero usage which is growing > slowly over time. We believe the growth to be related to the general > increase of web payments, rather than an expanded number of sites. To > tackle the remaining usage, we have performed a UKM analysis, and > identified the primary remaining site. We are in contact with them, and > expect them to roll out a fix in the coming weeks - after which we will > revisit the numbers and this thread. > Does the primary remaining site have fallback code, or will it be broken? > * https://chromestatus.com/metrics/feature/timeline/popularity/2398 > > Gecko: In development ( > https://bugzilla.mozilla.org/show_bug.cgi?id=1445138) > > WebKit: Shipped/Shipping (https://bugs.webkit.org/show_bug.cgi?id=179056) > > Web developers: No signals > > Other signals: > > Debuggability > > As we are treating this as a deprecation, we intend to use the issues tab > (as per the checklist) to warn developers of the upcoming removal. Once the > support is removed, calling show() will throw a SecurityError with a clear > error message. > > Is this feature fully tested by web-platform-tests > <https://chromium.googlesource.com/chromium/src/+/master/docs/testing/web_platform_tests.md> > ?Yes - > https://wpt.fyi/results/payment-request/show-consume-activation.https.html?label=experimental&label=master&aligned > > Requires code in //chrome?False > > Tracking bughttps://crbug.com/825270 > > Estimated milestones > Deprecate in M98, remove in M99 or M100 (compat risk depending). > > Link to entry on the Chrome Platform Status > https://chromestatus.com/feature/5948593429020672 > > Links to previous Intent discussionsIntent to prototype: > https://groups.google.com/u/1/a/chromium.org/g/blink-dev/c/2PhPgk_k9a0/m/alO4yt_HBQAJ > Intent to Experiment: > https://groups.google.com/u/1/a/chromium.org/g/blink-dev/c/i6pAWsjU7zg/m/CzqgcGAXAwAJ > > - This is a bit of a strange case, where we initially believed that we > needed Capability Delegation to support deprecating this feature. However, > the partner who needed that ability has instead solved their problem in a > different way. As such, we believe it safe to require user activation for > show() calls *without* Capability Delegation being available. > > > This intent message was generated by Chrome Platform Status > <https://www.chromestatus.com/> and hand edited by smcgruer@. > > -- > You received this message because you are subscribed to the Google Groups > "blink-dev" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to blink-dev+unsubscr...@chromium.org. > To view this discussion on the web visit > https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CADY3Mae4RVpVxnjMS8oJ7WE7yOtAiqqa79%3D8v%2ByNf2XhCtHWgg%40mail.gmail.com > <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CADY3Mae4RVpVxnjMS8oJ7WE7yOtAiqqa79%3D8v%2ByNf2XhCtHWgg%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAL5BFfVJF8HxsifaVH0SuvNvcQaEmdXrmS9VqV1QmFBfdiE6UA%40mail.gmail.com.
