Contact emails nbur...@chromium.org, rous...@chromium.org, smcgr...@chromium.org
Explainer SPC explainer: https://github.com/w3c/secure-payment-confirmation/blob/main/explainer.md Specification SPC specification: https://w3c.github.io/secure-payment-confirmation/ Design docs N/A Summary This intent is to add a user activation requirement for Secure Payment Confirmation (SPC) credential enrollment in a cross-origin iframe to help mitigate a privacy issue (see w3c/secure-payment-confirmation#128 <https://github.com/w3c/secure-payment-confirmation/issues/128> for discussion of a potential identity tracking attack). Original feature summary: Secure payment confirmation augments the payment authentication experience on the web with the help of WebAuthn. The feature adds a new 'payment' extension to WebAuthn, which allows a relying party such as a bank to create a PublicKeyCredential that can be queried by any merchant origin as part of an online checkout via the Payment Request API using the 'secure-payment-confirmation' payment method. Blink component Blink>Payments <https://bugs.chromium.org/p/chromium/issues/list?q=component:Blink%3EPayments> TAG review SPC TAG review: https://github.com/w3ctag/design-reviews/issues/675 TAG review status Closed (Resolution: satisfied) Interoperability and Compatibility While adding a new requirement for user activation is technically a breaking change, we are confident in this change as the feature is expected to be used in a payment flow where the user has provided some form of input to continue. We have confirmed with the external partners who are using this feature that they do currently have a user activation. Gecko: No signal (https://github.com/mozilla/standards-positions/issues/570) Historically (>1 year old) positive signal from informal conversation in W3C Payment Handler meetings. However Firefox have since not been involved in the API development. WebKit: No signal ( https://lists.webkit.org/pipermail/webkit-dev/2021-August/031956.html) Web developers: Positive ( https://lists.w3.org/Archives/Public/public-payments-wg/2021Aug/0005.html) Support and involvement in API development from multiple web developers and payment industry partners. Both Stripe and AirBnB have publicly stated that they have either completed or are in the process of prototyping/experimenting with SPC Debuggability Existing devtools debugging features should cover SPC (e.g. breakpoints, console, etc) Is this feature fully tested by web-platform-tests <https://chromium.googlesource.com/chromium/src/+/master/docs/testing/web_platform_tests.md> ? Yes, coverage for the user activation requirement will be added to the existing test suite: https://wpt.fyi/results/secure-payment-confirmation?label=master&label=experimental&aligned Flag name N/A Requires code in //chrome? No Tracking bug User activation bug: https://crbug.com/1322603 Original feature bug: https://crbug.com/1124927 Launch bug Original SPC launch bug: https://bugs.chromium.org/p/chromium/issues/detail?id=1236570 We believe this is a small enough change to an existing feature that it doesn’t require its own launch bug. Link to entry on the Chrome Platform Status https://chromestatus.com/guide/edit/5104475634139136 Links to previous Intent discussions Intent to Prototype v1: https://groups.google.com/a/chromium.org/d/topic/blink-dev/myUR5gyd5Js/discussion Intent to Experiment v2: https://groups.google.com/a/chromium.org/g/blink-dev/c/6Dd00NJ-td8 Intent to Ship v2: https://groups.google.com/u/1/a/chromium.org/g/blink-dev/c/U5K69fbA6SU This intent message was generated by Chrome Platform Status <https://chromestatus.com/>. -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CADvKJHND4_zciu4u2EyuXrfr%2Bk9TmUQyKbeYJy%2BsuUtH3UF7_w%40mail.gmail.com.
