LGTM1 On Fri, Jan 6, 2023 at 2:12 PM Stephen Mcgruer <[email protected]> wrote:
> I was asked to clarify the level of compat risk for this change (very > reasonably, I did a poor job in the original email!). > > Conceptually, this change is risky as we cannot detect exact usage of > 'someone is reading the old "rp" field', > because CollectedClientAdditionalPaymentData is essentially a data blob > returned from Chrome which is usually sent to the website's server backend > and processed there. > > However, for SPC we believe there is low enough usage in general and we > have good enough partner relations that we can make sure partners are aware > of and adapt to this change* ahead of the removal. The usecounter > <https://chromestatus.com/metrics/feature/timeline/popularity/3376> for > SPC is at ~0.0005% of page loads, and we have internal metrics with more > details. We know of a short list of partners who are actively experimenting > with SPC 'in the wild'. There is a slightly longer and not fully known list > of partners who may be experimenting with SPC in a dev environment, but we > still expect to be able to inform these partners via the Web Payments WG > and Web Payments SIG where most payment partners interact. > Thanks for clarifying! That upper bound seems low enough, so hopefully partner relationships/communications can ensure no breakage from this. > > * by using the already existing "rpId" field instead > > On Thu, 5 Jan 2023 at 11:05, Stephen Mcgruer <[email protected]> > wrote: > >> Contact [email protected] >> >> ExplainerNone >> >> Specification >> https://w3c.github.io/secure-payment-confirmation/#sctn-collectedclientadditionalpaymentdata-dictionary >> >> Summary >> >> Secure Payment Confirmation (SPC) is a Web API to support streamlined >> authentication during a payment transaction. It builds on top of WebAuthn >> to bring strong authentication to payment flows. In the initial spec and >> implementation of SPC, the output CollectedClientAdditionalPaymentData >> dictionary[0] of the cryptogram contained a parameter named 'rp'. This was >> renamed in the specification[1] to 'rpId' to align with WebAuthn, and >> Chrome is changing its implementation to match (that is, adding 'rpId' and >> removing 'rp'). [0]: >> https://w3c.github.io/secure-payment-confirmation/#sctn-collectedclientadditionalpaymentdata-dictionary >> [1]: https://github.com/w3c/secure-payment-confirmation/pull/198 >> >> >> Blink componentBlink>Payments >> <https://bugs.chromium.org/p/chromium/issues/list?q=component:Blink%3EPayments> >> >> Motivation >> >> Secure Payment Confirmation (SPC) is a Web API to support streamlined >> authentication during a payment transaction. It builds on top of WebAuthn >> to bring strong authentication to payment flows. In the initial spec and >> implementation of SPC, the output CollectedClientAdditionalPaymentData >> dictionary[0] of the cryptogram contained a parameter named 'rp'. This was >> renamed in the specification[1] to 'rpId' to align with WebAuthn, and >> Chrome is changing its implementation to match (that is, adding 'rpId' and >> removing 'rp'). In M107, we added[2] 'rpId' to >> CollectedClientAdditionalPaymentData as an additional, identical field to >> 'rp'. We will now be removing the old 'rp' parameter. [0]: >> https://w3c.github.io/secure-payment-confirmation/#sctn-collectedclientadditionalpaymentdata-dictionary >> [1]: https://github.com/w3c/secure-payment-confirmation/pull/198 [2]: >> https://chromium.googlesource.com/chromium/src/+/3472ddafd924cbffab61b88746c5fe81e71e26a7 >> >> >> Initial public proposal >> https://github.com/w3c/secure-payment-confirmation/issues/191 >> >> TAG reviewN/A >> >> TAG review statusN/A >> >> Risks >> >> Interoperability and Compatibility >> >> Compatibility: The main risk is that a developer is still using the 'rp' >> parameter (and has not migrated to 'rpId'), and that their >> cryptogram-parsing code fails. Notably, we cannot detect this via browser >> metrics, as cryptogram-parsing is normally done server-side (i.e. the >> client just sends the received cryptogram up to a server). This also means >> that we cannot do e.g., a devtool deprecation warning. However, there are >> still relatively few users of SPC, and all are active participants in its >> development. We have announced this planned rename previously, and will now >> announce its deprecation + removal timeline ('deprecate' today, remove in >> M113). >> >> *Gecko*: N/A Firefox does not ship SPC >> >> *WebKit*: N/A Safari does not ship SPC >> >> *Web developers*: No signals >> >> *Other signals*: >> >> WebView application risks >> >> Does this intent deprecate or change behavior of existing APIs, such that >> it has potentially high risk for Android WebView-based applications? >> >> No - SPC does not ship on WebView. >> >> Debuggability >> >> Developers may inspect the output CollectedClientAdditionalPaymentData >> dictionary in devtools if desired. >> >> Is this feature fully tested by web-platform-tests >> <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md> >> ?Yes, in >> https://wpt.fyi/results/secure-payment-confirmation/authentication-accepted.https.html?label=experimental&label=master&aligned >> - will need to be updated in M113 to assert that the field is no longer >> present. >> >> Flag nameN/A >> >> Requires code in //chrome?False >> >> Tracking bughttps://bugs.chromium.org/p/chromium/issues/detail?id=1356224 >> >> Estimated milestones >> >> Deprecation: 'now' (M110, but impossible to add e.g. deprecation warnings) >> >> Removal: M113 >> >> Link to entry on the Chrome Platform Status >> https://chromestatus.com/feature/5203057325899776 >> >> This intent message was generated by Chrome Platform Status >> <https://chromestatus.com/>, and edited by smcgruer@ by hand. >> > -- > You received this message because you are subscribed to the Google Groups > "blink-dev" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CADY3MaeSz5M_k5FaysBE-OgV3sarO6tgXY%3DcxmAMWivAfdW_SA%40mail.gmail.com > <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CADY3MaeSz5M_k5FaysBE-OgV3sarO6tgXY%3DcxmAMWivAfdW_SA%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAL5BFfW7sFdW0ig4jniA2Wya2noA6fo9VaoqgYUvPQOhSYm5Tw%40mail.gmail.com.
