LGTM3

On 12/1/21 12:34 PM, Chris Harrelson wrote:
LGTM2

On Wed, Dec 1, 2021 at 9:33 AM Yoav Weiss <yoavwe...@chromium.org> wrote:

    LGTM1 to deprecate in M98 and remove in M99, assuming no surprises
    come up on the usage front.

    On Wed, Dec 1, 2021 at 6:31 PM Stephen Mcgruer
    <smcgr...@chromium.org> wrote:

        To be clear; I think we have a good enough shot of that
        remaining site fixing their code 'soon' (I expect O(weeks))
        that we both:

        1. Shouldn't do the removal till they have, and
        2. Don't need to provide an alternative in the form of
        capability delegation.

        But the code change to at least start this deprecation would
        have to land by December 9th (or we punt for 1.5 months),
        hence why we're filing this ahead of them fixing their site :).

        On Wed, 1 Dec 2021 at 12:22, Stephen Mcgruer
        <smcgr...@chromium.org> wrote:

            > Does the primary remaining site have fallback code, or
            will it be broken?

            Yes and no :). It doesn't have automatic fallback for the
            specific payment method the user has selected (Google
            Pay), but the user could then select one of the other
            payment methods that the site supports (either a credit
            card flow or I think PayPal IIRC).

            On Wed, 1 Dec 2021 at 11:05, Yoav Weiss
            <yoavwe...@chromium.org> wrote:



                On Wed, Dec 1, 2021 at 4:43 PM Stephen Mcgruer
                <smcgr...@chromium.org> wrote:


                            Contact emails

                    smcgr...@chromium.org


                            Specification

                    https://www.w3.org/TR/payment-request/#show-method


                            Summary

                    Allowing PaymentRequest.show() to be triggered
                    without a user activation could be abused by
                    malicious websites. To protect users, the spec was
                    changed to require user activation, and we are now
                    following through in the Chrome implementation.

                    Plan is to deprecate in M98 and remove in M99. We
                    may push the M99 date to M100 based on compat
                    risk; see below.


                            Blink component

                    Blink>Payments
                    
<https://bugs.chromium.org/p/chromium/issues/list?q=component:Blink%3EPayments>


                            TAG review

                    N/A - enforcement of feature from an
                    already-reviewed specification


                            TAG review status

                    Pending


                            Risks


                            Interoperability and Compatibility

                    Interoperability: no risk. Firefox has not shipped
                    PaymentRequest at all, whilst Safari's
                    implementation already requires user activation
                    for calling show(). Compatibility: the main risk.
                    If a website is calling PaymentRequest.show()
                    without a user activation today, it will stop
                    working. If that website doesn't have fallback
                    code to use another payments flow, it may lead to
                    a broken purchase experience for the user. Due to
                    this risk, we added a UseCounter,
                    kPaymentRequestShowWithoutGesture, which tracks
                    use of the feature. Although hits on the
                    UseCounter have reduced significantly since 2019*,
                    there is still non-zero usage which is growing
                    slowly over time. We believe the growth to be
                    related to the general increase of web payments,
                    rather than an expanded number of sites. To tackle
                    the remaining usage, we have performed a UKM
                    analysis, and identified the primary remaining
                    site. We are in contact with them, and expect them
                    to roll out a fix in the coming weeks - after
                    which we will revisit the numbers and this thread.


                Does the primary remaining site have fallback code, or
                will it be broken?

                    *
                    
https://chromestatus.com/metrics/feature/timeline/popularity/2398


                    Gecko: In development
                    (https://bugzilla.mozilla.org/show_bug.cgi?id=1445138)

                    WebKit: Shipped/Shipping
                    (https://bugs.webkit.org/show_bug.cgi?id=179056)

                    Web developers: No signals

                    Other signals:


                            Debuggability

                    As we are treating this as a deprecation, we
                    intend to use the issues tab (as per the
                    checklist) to warn developers of the upcoming
                    removal. Once the support is removed, calling
                    show() will throw a SecurityError with a clear
                    error message.


                            Is this feature fully tested by
                            web-platform-tests
                            
<https://chromium.googlesource.com/chromium/src/+/master/docs/testing/web_platform_tests.md>?

                    Yes -
                    
https://wpt.fyi/results/payment-request/show-consume-activation.https.html?label=experimental&label=master&aligned
                    
<https://wpt.fyi/results/payment-request/show-consume-activation.https.html?label=experimental&label=master&aligned>


                            Requires code in //chrome?

                    False


                            Tracking bug

                    https://crbug.com/825270


                            Estimated milestones

                    Deprecate in M98, remove in M99 or M100 (compat
                    risk depending).


                            Link to entry on the Chrome Platform Status

                    https://chromestatus.com/feature/5948593429020672


                            Links to previous Intent discussions

                    Intent to prototype:
                    
https://groups.google.com/u/1/a/chromium.org/g/blink-dev/c/2PhPgk_k9a0/m/alO4yt_HBQAJ
                    Intent to Experiment:
                    
https://groups.google.com/u/1/a/chromium.org/g/blink-dev/c/i6pAWsjU7zg/m/CzqgcGAXAwAJ

                      * This is a bit of a strange case, where we
                        initially believed that we needed Capability
                        Delegation to support deprecating this
                        feature. However, the partner who needed that
                        ability has instead solved their problem in a
                        different way. As such, we believe it safe to
                        require user activation for show() calls
                        *without* Capability Delegation being available.


                    This intent message was generated by Chrome
                    Platform Status
                    <https://www.chromestatus.com/> and hand edited by
                    smcgruer@.
-- You received this message because you are
                    subscribed to the Google Groups "blink-dev" group.
                    To unsubscribe from this group and stop receiving
                    emails from it, send an email to
                    blink-dev+unsubscr...@chromium.org.
                    To view this discussion on the web visit
                    
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CADY3Mae4RVpVxnjMS8oJ7WE7yOtAiqqa79%3D8v%2ByNf2XhCtHWgg%40mail.gmail.com
                    
<https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CADY3Mae4RVpVxnjMS8oJ7WE7yOtAiqqa79%3D8v%2ByNf2XhCtHWgg%40mail.gmail.com?utm_medium=email&utm_source=footer>.

-- You received this message because you are subscribed to the Google
    Groups "blink-dev" group.
    To unsubscribe from this group and stop receiving emails from it,
    send an email to blink-dev+unsubscr...@chromium.org.
    To view this discussion on the web visit
    
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAL5BFfU3ebwnoKvHPkXhQeSZ2mSfqgW_i_pXJVqEGaFjPJWWKA%40mail.gmail.com
    
<https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAL5BFfU3ebwnoKvHPkXhQeSZ2mSfqgW_i_pXJVqEGaFjPJWWKA%40mail.gmail.com?utm_medium=email&utm_source=footer>.

--
You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOMQ%2Bw-19DXQBytn%2BUChj%3D5p9JrgrhMZYGxVDYgkv262ttDkoA%40mail.gmail.com <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOMQ%2Bw-19DXQBytn%2BUChj%3D5p9JrgrhMZYGxVDYgkv262ttDkoA%40mail.gmail.com?utm_medium=email&utm_source=footer>.

--
You received this message because you are subscribed to the Google Groups 
"blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to blink-dev+unsubscr...@chromium.org.
To view this discussion on the web visit 
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/c5524e7e-8627-9142-434e-28100c0d19aa%40chromium.org.

Reply via email to