LGTM2
On Wed, Dec 1, 2021 at 9:33 AM Yoav Weiss
<yoavwe...@chromium.org> wrote:
LGTM1 to deprecate in M98 and remove in M99, assuming no
surprises come up on the usage front.
On Wed, Dec 1, 2021 at 6:31 PM Stephen Mcgruer
<smcgr...@chromium.org> wrote:
To be clear; I think we have a good enough shot of
that remaining site fixing their code 'soon' (I
expect O(weeks)) that we both:
1. Shouldn't do the removal till they have, and
2. Don't need to provide an alternative in the form
of capability delegation.
But the code change to at least start this
deprecation would have to land by December 9th (or we
punt for 1.5 months), hence why we're filing this
ahead of them fixing their site :).
On Wed, 1 Dec 2021 at 12:22, Stephen Mcgruer
<smcgr...@chromium.org> wrote:
> Does the primary remaining site have fallback
code, or will it be broken?
Yes and no :). It doesn't have automatic fallback
for the specific payment method the user has
selected (Google Pay), but the user could then
select one of the other payment methods that the
site supports (either a credit card flow or I
think PayPal IIRC).
On Wed, 1 Dec 2021 at 11:05, Yoav Weiss
<yoavwe...@chromium.org> wrote:
On Wed, Dec 1, 2021 at 4:43 PM Stephen
Mcgruer <smcgr...@chromium.org> wrote:
Contact emails
smcgr...@chromium.org
Specification
https://www.w3.org/TR/payment-request/#show-method
<https://www.w3.org/TR/payment-request/#show-method>
Summary
Allowing PaymentRequest.show() to be
triggered without a user activation could
be abused by malicious websites. To
protect users, the spec was changed to
require user activation, and we are now
following through in the Chrome
implementation.
Plan is to deprecate in M98 and remove in
M99. We may push the M99 date to M100
based on compat risk; see below.
Blink component
Blink>Payments
<https://bugs.chromium.org/p/chromium/issues/list?q=component:Blink%3EPayments>
TAG review
N/A - enforcement of feature from an
already-reviewed specification
TAG review status
Pending
Risks
Interoperability and Compatibility
Interoperability: no risk. Firefox has
not shipped PaymentRequest at all, whilst
Safari's implementation already requires
user activation for calling show().
Compatibility: the main risk. If a
website is calling PaymentRequest.show()
without a user activation today, it will
stop working. If that website doesn't
have fallback code to use another
payments flow, it may lead to a broken
purchase experience for the user. Due to
this risk, we added a UseCounter,
kPaymentRequestShowWithoutGesture, which
tracks use of the feature. Although hits
on the UseCounter have reduced
significantly since 2019*, there is still
non-zero usage which is growing slowly
over time. We believe the growth to be
related to the general increase of web
payments, rather than an expanded number
of sites. To tackle the remaining usage,
we have performed a UKM analysis, and
identified the primary remaining site. We
are in contact with them, and expect them
to roll out a fix in the coming weeks -
after which we will revisit the numbers
and this thread.
Does the primary remaining site have fallback
code, or will it be broken?
*
https://chromestatus.com/metrics/feature/timeline/popularity/2398
<https://chromestatus.com/metrics/feature/timeline/popularity/2398>
Gecko: In development
(https://bugzilla.mozilla.org/show_bug.cgi?id=1445138
<https://bugzilla.mozilla.org/show_bug.cgi?id=1445138>)
WebKit: Shipped/Shipping
(https://bugs.webkit.org/show_bug.cgi?id=179056
<https://bugs.webkit.org/show_bug.cgi?id=179056>)
Web developers: No signals
Other signals:
Debuggability
As we are treating this as a deprecation,
we intend to use the issues tab (as per
the checklist) to warn developers of the
upcoming removal. Once the support is
removed, calling show() will throw a
SecurityError with a clear error message.
Is this feature fully tested by
web-platform-tests
<https://chromium.googlesource.com/chromium/src/+/master/docs/testing/web_platform_tests.md>?
Yes -
https://wpt.fyi/results/payment-request/show-consume-activation.https.html?label=experimental&label=master&aligned
<https://wpt.fyi/results/payment-request/show-consume-activation.https.html?label=experimental&label=master&aligned>
Requires code in //chrome?
False
Tracking bug
https://crbug.com/825270
Estimated milestones
Deprecate in M98, remove in M99 or M100
(compat risk depending).
Link to entry on the Chrome
Platform Status
https://chromestatus.com/feature/5948593429020672
<https://chromestatus.com/feature/5948593429020672>
Links to previous Intent discussions
Intent to prototype:
https://groups.google.com/u/1/a/chromium.org/g/blink-dev/c/2PhPgk_k9a0/m/alO4yt_HBQAJ
<https://groups.google.com/u/1/a/chromium.org/g/blink-dev/c/2PhPgk_k9a0/m/alO4yt_HBQAJ>
Intent to Experiment:
https://groups.google.com/u/1/a/chromium.org/g/blink-dev/c/i6pAWsjU7zg/m/CzqgcGAXAwAJ
<https://groups.google.com/u/1/a/chromium.org/g/blink-dev/c/i6pAWsjU7zg/m/CzqgcGAXAwAJ>
* This is a bit of a strange case,
where we initially believed that we
needed Capability Delegation to
support deprecating this feature.
However, the partner who needed that
ability has instead solved their
problem in a different way. As such,
we believe it safe to require user
activation for show() calls
*without* Capability Delegation being
available.
This intent message was generated by
Chrome Platform Status
<https://www.chromestatus.com/> and hand
edited by smcgruer@.
--
You received this message because you are
subscribed to the Google Groups
"blink-dev" group.
To unsubscribe from this group and stop
receiving emails from it, send an email
to blink-dev+unsubscr...@chromium.org
<mailto:blink-dev+unsubscr...@chromium.org>.
To view this discussion on the web visit
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CADY3Mae4RVpVxnjMS8oJ7WE7yOtAiqqa79%3D8v%2ByNf2XhCtHWgg%40mail.gmail.com
<https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CADY3Mae4RVpVxnjMS8oJ7WE7yOtAiqqa79%3D8v%2ByNf2XhCtHWgg%40mail.gmail.com?utm_medium=email&utm_source=footer>.
--
You received this message because you are subscribed to
the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails
from it, send an email to
blink-dev+unsubscr...@chromium.org
<mailto:blink-dev+unsubscr...@chromium.org>.
To view this discussion on the web visit
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAL5BFfU3ebwnoKvHPkXhQeSZ2mSfqgW_i_pXJVqEGaFjPJWWKA%40mail.gmail.com
<https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAL5BFfU3ebwnoKvHPkXhQeSZ2mSfqgW_i_pXJVqEGaFjPJWWKA%40mail.gmail.com?utm_medium=email&utm_source=footer>.
--
You received this message because you are subscribed to the
Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from
it, send an email to blink-dev+unsubscr...@chromium.org
<mailto:blink-dev+unsubscr...@chromium.org>.
To view this discussion on the web visit
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOMQ%2Bw-19DXQBytn%2BUChj%3D5p9JrgrhMZYGxVDYgkv262ttDkoA%40mail.gmail.com
<https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOMQ%2Bw-19DXQBytn%2BUChj%3D5p9JrgrhMZYGxVDYgkv262ttDkoA%40mail.gmail.com?utm_medium=email&utm_source=footer>.
