Contact [email protected] ExplainerNone
Specification https://w3c.github.io/secure-payment-confirmation/#sctn-collectedclientadditionalpaymentdata-dictionary Summary Secure Payment Confirmation (SPC) is a Web API to support streamlined authentication during a payment transaction. It builds on top of WebAuthn to bring strong authentication to payment flows. In the initial spec and implementation of SPC, the output CollectedClientAdditionalPaymentData dictionary[0] of the cryptogram contained a parameter named 'rp'. This was renamed in the specification[1] to 'rpId' to align with WebAuthn, and Chrome is changing its implementation to match (that is, adding 'rpId' and removing 'rp'). [0]: https://w3c.github.io/secure-payment-confirmation/#sctn-collectedclientadditionalpaymentdata-dictionary [1]: https://github.com/w3c/secure-payment-confirmation/pull/198 Blink componentBlink>Payments <https://bugs.chromium.org/p/chromium/issues/list?q=component:Blink%3EPayments> Motivation Secure Payment Confirmation (SPC) is a Web API to support streamlined authentication during a payment transaction. It builds on top of WebAuthn to bring strong authentication to payment flows. In the initial spec and implementation of SPC, the output CollectedClientAdditionalPaymentData dictionary[0] of the cryptogram contained a parameter named 'rp'. This was renamed in the specification[1] to 'rpId' to align with WebAuthn, and Chrome is changing its implementation to match (that is, adding 'rpId' and removing 'rp'). In M107, we added[2] 'rpId' to CollectedClientAdditionalPaymentData as an additional, identical field to 'rp'. We will now be removing the old 'rp' parameter. [0]: https://w3c.github.io/secure-payment-confirmation/#sctn-collectedclientadditionalpaymentdata-dictionary [1]: https://github.com/w3c/secure-payment-confirmation/pull/198 [2]: https://chromium.googlesource.com/chromium/src/+/3472ddafd924cbffab61b88746c5fe81e71e26a7 Initial public proposal https://github.com/w3c/secure-payment-confirmation/issues/191 TAG reviewN/A TAG review statusN/A Risks Interoperability and Compatibility Compatibility: The main risk is that a developer is still using the 'rp' parameter (and has not migrated to 'rpId'), and that their cryptogram-parsing code fails. Notably, we cannot detect this via browser metrics, as cryptogram-parsing is normally done server-side (i.e. the client just sends the received cryptogram up to a server). This also means that we cannot do e.g., a devtool deprecation warning. However, there are still relatively few users of SPC, and all are active participants in its development. We have announced this planned rename previously, and will now announce its deprecation + removal timeline ('deprecate' today, remove in M113). *Gecko*: N/A Firefox does not ship SPC *WebKit*: N/A Safari does not ship SPC *Web developers*: No signals *Other signals*: WebView application risks Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications? No - SPC does not ship on WebView. Debuggability Developers may inspect the output CollectedClientAdditionalPaymentData dictionary in devtools if desired. Is this feature fully tested by web-platform-tests <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md> ?Yes, in https://wpt.fyi/results/secure-payment-confirmation/authentication-accepted.https.html?label=experimental&label=master&aligned - will need to be updated in M113 to assert that the field is no longer present. Flag nameN/A Requires code in //chrome?False Tracking bughttps://bugs.chromium.org/p/chromium/issues/detail?id=1356224 Estimated milestones Deprecation: 'now' (M110, but impossible to add e.g. deprecation warnings) Removal: M113 Link to entry on the Chrome Platform Status https://chromestatus.com/feature/5203057325899776 This intent message was generated by Chrome Platform Status <https://chromestatus.com/>, and edited by smcgruer@ by hand. -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CADY3MafrN3_3_aV4RZ7YWL8qS2waK1zXbA88b6nncmX3uLHgJQ%40mail.gmail.com.
