LGTM2 On Wed, Dec 1, 2021 at 9:33 AM Yoav Weiss <yoavwe...@chromium.org> wrote:
> LGTM1 to deprecate in M98 and remove in M99, assuming no surprises come up > on the usage front. > > On Wed, Dec 1, 2021 at 6:31 PM Stephen Mcgruer <smcgr...@chromium.org> > wrote: > >> To be clear; I think we have a good enough shot of that remaining site >> fixing their code 'soon' (I expect O(weeks)) that we both: >> >> 1. Shouldn't do the removal till they have, and >> 2. Don't need to provide an alternative in the form of capability >> delegation. >> >> But the code change to at least start this deprecation would have to land >> by December 9th (or we punt for 1.5 months), hence why we're filing this >> ahead of them fixing their site :). >> >> On Wed, 1 Dec 2021 at 12:22, Stephen Mcgruer <smcgr...@chromium.org> >> wrote: >> >>> > Does the primary remaining site have fallback code, or will it be >>> broken? >>> >>> Yes and no :). It doesn't have automatic fallback for the specific >>> payment method the user has selected (Google Pay), but the user could then >>> select one of the other payment methods that the site supports (either a >>> credit card flow or I think PayPal IIRC). >>> >>> On Wed, 1 Dec 2021 at 11:05, Yoav Weiss <yoavwe...@chromium.org> wrote: >>> >>>> >>>> >>>> On Wed, Dec 1, 2021 at 4:43 PM Stephen Mcgruer <smcgr...@chromium.org> >>>> wrote: >>>> >>>>> Contact emailssmcgr...@chromium.org >>>>> >>>>> Specificationhttps://www.w3.org/TR/payment-request/#show-method >>>>> >>>>> Summary >>>>> >>>>> Allowing PaymentRequest.show() to be triggered without a user >>>>> activation could be abused by malicious websites. To protect users, the >>>>> spec was changed to require user activation, and we are now following >>>>> through in the Chrome implementation. >>>>> >>>>> >>>>> Plan is to deprecate in M98 and remove in M99. We may push the M99 >>>>> date to M100 based on compat risk; see below. >>>>> >>>>> Blink componentBlink>Payments >>>>> <https://bugs.chromium.org/p/chromium/issues/list?q=component:Blink%3EPayments> >>>>> >>>>> TAG reviewN/A - enforcement of feature from an already-reviewed >>>>> specification >>>>> >>>>> TAG review statusPending >>>>> >>>>> Risks >>>>> Interoperability and Compatibility >>>>> >>>>> Interoperability: no risk. Firefox has not shipped PaymentRequest at >>>>> all, whilst Safari's implementation already requires user activation for >>>>> calling show(). Compatibility: the main risk. If a website is calling >>>>> PaymentRequest.show() without a user activation today, it will stop >>>>> working. If that website doesn't have fallback code to use another >>>>> payments >>>>> flow, it may lead to a broken purchase experience for the user. Due to >>>>> this >>>>> risk, we added a UseCounter, kPaymentRequestShowWithoutGesture, which >>>>> tracks use of the feature. Although hits on the UseCounter have reduced >>>>> significantly since 2019*, there is still non-zero usage which is growing >>>>> slowly over time. We believe the growth to be related to the general >>>>> increase of web payments, rather than an expanded number of sites. To >>>>> tackle the remaining usage, we have performed a UKM analysis, and >>>>> identified the primary remaining site. We are in contact with them, and >>>>> expect them to roll out a fix in the coming weeks - after which we will >>>>> revisit the numbers and this thread. >>>>> >>>> >>>> Does the primary remaining site have fallback code, or will it be >>>> broken? >>>> >>>> >>>>> * https://chromestatus.com/metrics/feature/timeline/popularity/2398 >>>>> >>>>> Gecko: In development ( >>>>> https://bugzilla.mozilla.org/show_bug.cgi?id=1445138) >>>>> >>>>> WebKit: Shipped/Shipping ( >>>>> https://bugs.webkit.org/show_bug.cgi?id=179056) >>>>> >>>>> Web developers: No signals >>>>> >>>>> Other signals: >>>>> >>>>> Debuggability >>>>> >>>>> As we are treating this as a deprecation, we intend to use the issues >>>>> tab (as per the checklist) to warn developers of the upcoming removal. >>>>> Once >>>>> the support is removed, calling show() will throw a SecurityError with a >>>>> clear error message. >>>>> >>>>> Is this feature fully tested by web-platform-tests >>>>> <https://chromium.googlesource.com/chromium/src/+/master/docs/testing/web_platform_tests.md> >>>>> ?Yes - >>>>> https://wpt.fyi/results/payment-request/show-consume-activation.https.html?label=experimental&label=master&aligned >>>>> >>>>> Requires code in //chrome?False >>>>> >>>>> Tracking bughttps://crbug.com/825270 >>>>> >>>>> Estimated milestones >>>>> Deprecate in M98, remove in M99 or M100 (compat risk depending). >>>>> >>>>> Link to entry on the Chrome Platform Status >>>>> https://chromestatus.com/feature/5948593429020672 >>>>> >>>>> Links to previous Intent discussionsIntent to prototype: >>>>> https://groups.google.com/u/1/a/chromium.org/g/blink-dev/c/2PhPgk_k9a0/m/alO4yt_HBQAJ >>>>> Intent to Experiment: >>>>> https://groups.google.com/u/1/a/chromium.org/g/blink-dev/c/i6pAWsjU7zg/m/CzqgcGAXAwAJ >>>>> >>>>> - This is a bit of a strange case, where we initially believed >>>>> that we needed Capability Delegation to support deprecating this >>>>> feature. >>>>> However, the partner who needed that ability has instead solved their >>>>> problem in a different way. As such, we believe it safe to require user >>>>> activation for show() calls *without* Capability Delegation being >>>>> available. >>>>> >>>>> >>>>> This intent message was generated by Chrome Platform Status >>>>> <https://www.chromestatus.com/> and hand edited by smcgruer@. >>>>> >>>>> -- >>>>> You received this message because you are subscribed to the Google >>>>> Groups "blink-dev" group. >>>>> To unsubscribe from this group and stop receiving emails from it, send >>>>> an email to blink-dev+unsubscr...@chromium.org. >>>>> To view this discussion on the web visit >>>>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CADY3Mae4RVpVxnjMS8oJ7WE7yOtAiqqa79%3D8v%2ByNf2XhCtHWgg%40mail.gmail.com >>>>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CADY3Mae4RVpVxnjMS8oJ7WE7yOtAiqqa79%3D8v%2ByNf2XhCtHWgg%40mail.gmail.com?utm_medium=email&utm_source=footer> >>>>> . >>>>> >>>> -- > You received this message because you are subscribed to the Google Groups > "blink-dev" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to blink-dev+unsubscr...@chromium.org. > To view this discussion on the web visit > https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAL5BFfU3ebwnoKvHPkXhQeSZ2mSfqgW_i_pXJVqEGaFjPJWWKA%40mail.gmail.com > <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAL5BFfU3ebwnoKvHPkXhQeSZ2mSfqgW_i_pXJVqEGaFjPJWWKA%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOMQ%2Bw-19DXQBytn%2BUChj%3D5p9JrgrhMZYGxVDYgkv262ttDkoA%40mail.gmail.com.
