LGTM2. -mike
On Tue, May 10, 2022 at 8:01 PM Mike Taylor <miketa...@chromium.org> wrote: > LGTM1 - this seems like a useful change. Thanks for involving partners. > > On 5/5/22 12:23 PM, Nick Burris wrote: > > Contact emails > > nbur...@chromium.org, rous...@chromium.org, smcgr...@chromium.org > > Explainer > > SPC explainer: > https://github.com/w3c/secure-payment-confirmation/blob/main/explainer.md > > Specification > > SPC specification: https://w3c.github.io/secure-payment-confirmation/ > > Design docs > > N/A > > Summary > > This intent is to add a user activation requirement for Secure Payment > Confirmation (SPC) credential enrollment in a cross-origin iframe to help > mitigate a privacy issue (see w3c/secure-payment-confirmation#128 > <https://github.com/w3c/secure-payment-confirmation/issues/128> for > discussion of a potential identity tracking attack). > > Original feature summary: Secure payment confirmation augments the > payment authentication experience on the web with the help of WebAuthn. The > feature adds a new 'payment' extension to WebAuthn, which allows a relying > party such as a bank to create a PublicKeyCredential that can be queried by > any merchant origin as part of an online checkout via the Payment Request > API using the 'secure-payment-confirmation' payment method. > > Blink component > > Blink>Payments > <https://bugs.chromium.org/p/chromium/issues/list?q=component:Blink%3EPayments> > > TAG review > > SPC TAG review: https://github.com/w3ctag/design-reviews/issues/675 > > TAG review status > > Closed (Resolution: satisfied) > > Interoperability and Compatibility > > While adding a new requirement for user activation is technically a > breaking change, we are confident in this change as the feature is expected > to be used in a payment flow where the user has provided some form of input > to continue. We have confirmed with the external partners who are using > this feature that they do currently have a user activation. > > Gecko: No signal ( > https://github.com/mozilla/standards-positions/issues/570) Historically > (>1 year old) positive signal from informal conversation in W3C Payment > Handler meetings. However Firefox have since not been involved in the API > development. > > WebKit: No signal ( > https://lists.webkit.org/pipermail/webkit-dev/2021-August/031956.html) > > Web developers: Positive ( > https://lists.w3.org/Archives/Public/public-payments-wg/2021Aug/0005.html) > Support and involvement in API development from multiple web developers and > payment industry partners. Both Stripe and AirBnB have publicly stated that > they have either completed or are in the process of > prototyping/experimenting with SPC > > > Debuggability > > Existing devtools debugging features should cover SPC (e.g. breakpoints, > console, etc) > > Is this feature fully tested by web-platform-tests > <https://chromium.googlesource.com/chromium/src/+/master/docs/testing/web_platform_tests.md> > ? > > Yes, coverage for the user activation requirement will be added to the > existing test suite: > > > https://wpt.fyi/results/secure-payment-confirmation?label=master&label=experimental&aligned > > Flag name > > N/A > > Requires code in //chrome? > > No > > Tracking bug > > User activation bug: https://crbug.com/1322603 > > Original feature bug: https://crbug.com/1124927 > > Launch bug > > Original SPC launch bug: > https://bugs.chromium.org/p/chromium/issues/detail?id=1236570 > > We believe this is a small enough change to an existing feature that it > doesn’t require its own launch bug. > > Link to entry on the Chrome Platform Status > > https://chromestatus.com/guide/edit/5104475634139136 > > Links to previous Intent discussions > > Intent to Prototype v1: > https://groups.google.com/a/chromium.org/d/topic/blink-dev/myUR5gyd5Js/discussion > > Intent to Experiment v2: > https://groups.google.com/a/chromium.org/g/blink-dev/c/6Dd00NJ-td8 > > Intent to Ship v2: > https://groups.google.com/u/1/a/chromium.org/g/blink-dev/c/U5K69fbA6SU > > > This intent message was generated by Chrome Platform Status > <https://chromestatus.com/>. > > -- > You received this message because you are subscribed to the Google Groups > "blink-dev" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to blink-dev+unsubscr...@chromium.org. > To view this discussion on the web visit > https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CADvKJHND4_zciu4u2EyuXrfr%2Bk9TmUQyKbeYJy%2BsuUtH3UF7_w%40mail.gmail.com > <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CADvKJHND4_zciu4u2EyuXrfr%2Bk9TmUQyKbeYJy%2BsuUtH3UF7_w%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > > > -- > You received this message because you are subscribed to the Google Groups > "blink-dev" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to blink-dev+unsubscr...@chromium.org. > To view this discussion on the web visit > https://groups.google.com/a/chromium.org/d/msgid/blink-dev/069483ff-978e-77af-7baf-c5099c20ba6d%40chromium.org > <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/069483ff-978e-77af-7baf-c5099c20ba6d%40chromium.org?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAKXHy%3Ddy6obPhwgXbuPA7dnX_A2sqrqGPk7BhVE_UUk0byCE5w%40mail.gmail.com.
