LGTM2
On Wed, Dec 1, 2021 at 9:33 AM Yoav Weiss
<yoavwe...@chromium.org> wrote:
LGTM1 to deprecate in M98 and remove in M99,
assuming no surprises come up on the usage front.
On Wed, Dec 1, 2021 at 6:31 PM Stephen Mcgruer
<smcgr...@chromium.org> wrote:
To be clear; I think we have a good enough shot
of that remaining site fixing their code 'soon'
(I expect O(weeks)) that we both:
1. Shouldn't do the removal till they have, and
2. Don't need to provide an alternative in the
form of capability delegation.
But the code change to at least start this
deprecation would have to land by December 9th
(or we punt for 1.5 months), hence why we're
filing this ahead of them fixing their site :).
On Wed, 1 Dec 2021 at 12:22, Stephen Mcgruer
<smcgr...@chromium.org> wrote:
> Does the primary remaining site have
fallback code, or will it be broken?
Yes and no :). It doesn't have automatic
fallback for the specific payment method the
user has selected (Google Pay), but the user
could then select one of the other payment
methods that the site supports (either a
credit card flow or I think PayPal IIRC).
On Wed, 1 Dec 2021 at 11:05, Yoav Weiss
<yoavwe...@chromium.org> wrote:
On Wed, Dec 1, 2021 at 4:43 PM Stephen
Mcgruer <smcgr...@chromium.org> wrote:
Contact emails
smcgr...@chromium.org
Specification
https://www.w3.org/TR/payment-request/#show-method
Summary
Allowing PaymentRequest.show() to be
triggered without a user activation
could be abused by malicious
websites. To protect users, the spec
was changed to require user
activation, and we are now following
through in the Chrome implementation.
Plan is to deprecate in M98 and
remove in M99. We may push the M99
date to M100 based on compat risk;
see below.
Blink component
Blink>Payments
<https://bugs.chromium.org/p/chromium/issues/list?q=component:Blink%3EPayments>
TAG review
N/A - enforcement of feature from an
already-reviewed specification
TAG review status
Pending
Risks
Interoperability and
Compatibility
Interoperability: no risk. Firefox
has not shipped PaymentRequest at
all, whilst Safari's implementation
already requires user activation for
calling show(). Compatibility: the
main risk. If a website is calling
PaymentRequest.show() without a user
activation today, it will stop
working. If that website doesn't
have fallback code to use another
payments flow, it may lead to a
broken purchase experience for the
user. Due to this risk, we added a
UseCounter,
kPaymentRequestShowWithoutGesture,
which tracks use of the feature.
Although hits on the UseCounter have
reduced significantly since 2019*,
there is still non-zero usage which
is growing slowly over time. We
believe the growth to be related to
the general increase of web
payments, rather than an expanded
number of sites. To tackle the
remaining usage, we have performed a
UKM analysis, and identified the
primary remaining site. We are in
contact with them, and expect them
to roll out a fix in the coming
weeks - after which we will revisit
the numbers and this thread.
Does the primary remaining site have
fallback code, or will it be broken?
*
https://chromestatus.com/metrics/feature/timeline/popularity/2398
Gecko: In development
(https://bugzilla.mozilla.org/show_bug.cgi?id=1445138)
WebKit: Shipped/Shipping
(https://bugs.webkit.org/show_bug.cgi?id=179056)
Web developers: No signals
Other signals:
Debuggability
As we are treating this as a
deprecation, we intend to use the
issues tab (as per the checklist) to
warn developers of the upcoming
removal. Once the support is
removed, calling show() will throw a
SecurityError with a clear error
message.
Is this feature fully tested
by web-platform-tests
<https://chromium.googlesource.com/chromium/src/+/master/docs/testing/web_platform_tests.md>?
Yes -
https://wpt.fyi/results/payment-request/show-consume-activation.https.html?label=experimental&label=master&aligned
<https://wpt.fyi/results/payment-request/show-consume-activation.https.html?label=experimental&label=master&aligned>
Requires code in //chrome?
False
Tracking bug
https://crbug.com/825270
Estimated milestones
Deprecate in M98, remove in M99 or
M100 (compat risk depending).
Link to entry on the Chrome
Platform Status
https://chromestatus.com/feature/5948593429020672
Links to previous Intent
discussions
Intent to prototype:
https://groups.google.com/u/1/a/chromium.org/g/blink-dev/c/2PhPgk_k9a0/m/alO4yt_HBQAJ
Intent to Experiment:
https://groups.google.com/u/1/a/chromium.org/g/blink-dev/c/i6pAWsjU7zg/m/CzqgcGAXAwAJ
* This is a bit of a strange case,
where we initially believed that
we needed Capability Delegation
to support deprecating this
feature. However, the partner
who needed that ability has
instead solved their problem in
a different way. As such, we
believe it safe to require user
activation for show() calls
*without* Capability Delegation
being available.
This intent message was generated by
Chrome Platform Status
<https://www.chromestatus.com/> and
hand edited by smcgruer@.
--
You received this message because
you are subscribed to the Google
Groups "blink-dev" group.
To unsubscribe from this group and
stop receiving emails from it, send
an email to
blink-dev+unsubscr...@chromium.org.
To view this discussion on the web
visit
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CADY3Mae4RVpVxnjMS8oJ7WE7yOtAiqqa79%3D8v%2ByNf2XhCtHWgg%40mail.gmail.com
<https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CADY3Mae4RVpVxnjMS8oJ7WE7yOtAiqqa79%3D8v%2ByNf2XhCtHWgg%40mail.gmail.com?utm_medium=email&utm_source=footer>.
--
You received this message because you are subscribed
to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving
emails from it, send an email to
blink-dev+unsubscr...@chromium.org.
To view this discussion on the web visit
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAL5BFfU3ebwnoKvHPkXhQeSZ2mSfqgW_i_pXJVqEGaFjPJWWKA%40mail.gmail.com
<https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAL5BFfU3ebwnoKvHPkXhQeSZ2mSfqgW_i_pXJVqEGaFjPJWWKA%40mail.gmail.com?utm_medium=email&utm_source=footer>.
--
You received this message because you are subscribed to
the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails
from it, send an email to
blink-dev+unsubscr...@chromium.org.
To view this discussion on the web visit
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOMQ%2Bw-19DXQBytn%2BUChj%3D5p9JrgrhMZYGxVDYgkv262ttDkoA%40mail.gmail.com
<https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOMQ%2Bw-19DXQBytn%2BUChj%3D5p9JrgrhMZYGxVDYgkv262ttDkoA%40mail.gmail.com?utm_medium=email&utm_source=footer>.
