Intent to Ship: Secure Payment Confirmation
192 views
Skip to first unread message
Stephen Mcgruer
Aug 27, 2021, 10:05:04 AM8/27/21
to blink-dev
Contact emails
rou...@chromium.org, nbu...@chromium.org, smcg...@chromium.org, ma...@chromium.orgExplainer
https://github.com/w3c/secure-payment-confirmationSpecification
https://w3c.github.io/secure-payment-confirmation/Summary
Secure payment confirmation augments the payment authentication experience on the web with the help of WebAuthn. The feature adds a new 'payment' extension to WebAuthn, which allows a relying party such as a bank to create a PublicKeyCredential that can be queried by any merchant origin as part of an online checkout via the Payment Request API using the 'secure-payment-confirmation payment' method.
Blink component
Blink>PaymentsTAG review
https://github.com/w3ctag/design-reviews/issues/544TAG review status
PendingSupported on all platforms?
No.
SPC is launching on MacOS and Windows only initially, as they are platforms that have built-in authenticators and which payment partners have noted as important targets.
Android has browser-level support for SPC, but is excluded from the launch due to the lack of Discoverable Credentials currently. We will add Android once the platform supports that.
Gecko: No signal (https://github.com/mozilla/standards-positions/issues/570) Historically (>1 year old) positive signal from informal conversation in W3C Payment Handler meetings. However Firefox have since not been involved in the API development.
WebKit: No signal (https://lists.webkit.org/pipermail/webkit-dev/2021-August/031956.html)
Web developers: Positive (https://lists.w3.org/Archives/Public/public-payments-wg/2021Aug/0005.html) Support and involvement in API development from multiple web developers and payment industry partners. Both Stripe and AirBnB have publicly stated that they have either completed or are in the process of prototyping/experimenting with SPC
Android has browser-level support for SPC, but is excluded from the launch due to the lack of Discoverable Credentials currently. We will add Android once the platform supports that.
Risks
Interoperability and Compatibility
This feature adds a WebAuthn extension and PaymentRequest payment method type, so the interop risk is that other browsers do not implement these types. The feature is detectable (though it could be easier[0]), so it should be possible for Web Developers to determine if SPC is enabled for a given user agent visiting their site. There is a risk that the feature will evolve away from the PaymentRequest API[1], which would then require a deprecation of the current API entry-point. It is worth noting that deprecations for payment are often easier than for the general web, as there are far, far fewer payment developers and websites that accept payments are almost always kept up to date (or their payment integrations might break!). [0]: https://github.com/w3c/secure-payment-confirmation/issues/81#issuecomment-885046226 [1]: https://github.com/w3c/secure-payment-confirmation/issues/65
Gecko: No signal (https://github.com/mozilla/standards-positions/issues/570) Historically (>1 year old) positive signal from informal conversation in W3C Payment Handler meetings. However Firefox have since not been involved in the API development.
WebKit: No signal (https://lists.webkit.org/pipermail/webkit-dev/2021-August/031956.html)
Web developers: Positive (https://lists.w3.org/Archives/Public/public-payments-wg/2021Aug/0005.html) Support and involvement in API development from multiple web developers and payment industry partners. Both Stripe and AirBnB have publicly stated that they have either completed or are in the process of prototyping/experimenting with SPC
Debuggability
Existing devtools debugging features should cover SPC (e.g. breakpoints, console, etc)
Is this feature fully tested by web-platform-tests?
Partiallyhttps://wpt.fyi/results/secure-payment-confirmation?label=master&label=experimental&aligned
The WPT test suite is only partially complete and needs to be extended, but this first requires building out test automation machinery and content_shell support. The team is committed to this post initial launch.
Intent to Experiment: https://groups.google.com/a/chromium.org/g/blink-dev/c/6Dd00NJ-td8
The WPT test suite is only partially complete and needs to be extended, but this first requires building out test automation machinery and content_shell support. The team is committed to this post initial launch.
Requires code in //chrome?
TrueTracking bug
https://crbug.com/1124927Launch bug
https://bugs.chromium.org/p/chromium/issues/detail?id=1236570#Estimated milestones
Ship: M95. Note that this is directly after the end of the Origin Trial, so we are still trying to determine whether we should do the 'week off' approach or apply for a no-skip transition. For the latter option, I think we may meet the bar. We've significantly changed the API in both M93 and M94 during the origin trial, and so M95 for example is not compatible with someone using code from M93.
Link to entry on the Chrome Platform Status
https://chromestatus.com/feature/5702310124584960Links to previous Intent discussions
Intent to prototype: https://groups.google.com/a/chromium.org/d/topic/blink-dev/myUR5gyd5Js/discussionIntent to Experiment: https://groups.google.com/a/chromium.org/g/blink-dev/c/6Dd00NJ-td8
Joe Medley
Aug 30, 2021, 2:22:10 PM8/30/21
to Stephen Mcgruer, blink-dev
This is desktop only, right?
If an API's not documented it doesn't exist.
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CADY3Maf_i31Fw0VLVbaLfmvNDS1kqWb-RqbOei_in7O0jXC89Q%40mail.gmail.com.
Stephen Mcgruer
Aug 30, 2021, 2:32:47 PM8/30/21
to Joe Medley, blink-dev
> This is desktop only, right?
Yep! MacOS + Windows only initially; see the 'Supported on all platforms?' section for justification.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAJUhtG-f6EUpbixf1f1T1TkJGiYh0xn6u0FpTRqxDkhtgz6mGA%40mail.gmail.com.
Yoav Weiss
Sep 1, 2021, 10:26:44 AM9/1/21
to Stephen Mcgruer, blink-dev
Thanks for working on this! This seems like an important problem to solve. (and one which impacted me as a user)
What would be the timelines for that commitment?
Requires code in //chrome?
TrueTracking bug
https://crbug.com/1124927Launch bug
https://bugs.chromium.org/p/chromium/issues/detail?id=1236570#Estimated milestones
Ship: M95. Note that this is directly after the end of the Origin Trial, so we are still trying to determine whether we should do the 'week off' approach or apply for a no-skip transition. For the latter option, I think we may meet the bar. We've significantly changed the API in both M93 and M94 during the origin trial, and so M95 for example is not compatible with someone using code from M93.Link to entry on the Chrome Platform Status
https://chromestatus.com/feature/5702310124584960Links to previous Intent discussions
Intent to prototype: https://groups.google.com/a/chromium.org/d/topic/blink-dev/myUR5gyd5Js/discussion
Intent to Experiment: https://groups.google.com/a/chromium.org/g/blink-dev/c/6Dd00NJ-td8
Any feedback from the Origin Trial?
--
Stephen Mcgruer
Sep 1, 2021, 12:49:12 PM9/1/21
to Yoav Weiss, blink-dev
> and one which impacted me as a user
Oof! Yes, we'd like to help figure out a way to make that not happen...
> What would be the timelines for [the commitment to see through the WPT test suite]?
My team will be working on test automation for SPC in Q4 2021. As the ex-lead of WPT in Chromium, I am quite insistent that we get it done :D.
> Any feedback from the Origin Trial?
During the Origin Trial we did iterate on the API shape significantly, but that more came from discussions in the working group than Origin Trial participant feedback (who are themselves also in the working group, so some overlap).
From our Origin Trial partners, we mostly heard that the overall experience is working for them and that they're really excited to be able to build lower-friction authentication solutions in the payments space!
Alex Russell
Sep 2, 2021, 3:19:03 PM9/2/21
to blink-dev, Stephen McGruer, blink-dev, Yoav Weiss
LGTM1
On Wednesday, September 1, 2021 at 5:49:12 PM UTC+1 Stephen McGruer wrote:
> and one which impacted me as a userOof! Yes, we'd like to help figure out a way to make that not happen...> What would be the timelines for [the commitment to see through the WPT test suite]?My team will be working on test automation for SPC in Q4 2021. As the ex-lead of WPT in Chromium, I am quite insistent that we get it done :D.> Any feedback from the Origin Trial?During the Origin Trial we did iterate on the API shape significantly, but that more came from discussions in the working group than Origin Trial participant feedback (who are themselves also in the working group, so some overlap).From our Origin Trial partners, we mostly heard that the overall experience is working for them and that they're really excited to be able to build lower-friction authentication solutions in the payments space!
On Wed, 1 Sept 2021 at 10:26, Yoav Weiss <yoav...@chromium.org> wrote:
Thanks for working on this! This seems like an important problem to solve. (and one which impacted me as a user)
On Fri, Aug 27, 2021 at 4:04 PM Stephen Mcgruer <smcg...@chromium.org> wrote:
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscribe@chromium.org.
Mike West
Sep 2, 2021, 3:25:14 PM9/2/21
to Alex Russell, blink-dev, Stephen McGruer, Yoav Weiss
LGTM2. This has been approved via internal security and privacy review, has gotten substantial developer feedback during OT, and serves a useful purpose.
I would ask y'all to pay attention to the TAG in case they provide substantive feedback in the near future. But given that the review was initially filed a year ago, and the conversation stalled in January, I don't think we need to block on their input.
-mike
On Thu, Sep 2, 2021 at 9:19 PM Alex Russell <sligh...@chromium.org> wrote:
LGTM1
On Wednesday, September 1, 2021 at 5:49:12 PM UTC+1 Stephen McGruer wrote:
> and one which impacted me as a userOof! Yes, we'd like to help figure out a way to make that not happen...> What would be the timelines for [the commitment to see through the WPT test suite]?My team will be working on test automation for SPC in Q4 2021. As the ex-lead of WPT in Chromium, I am quite insistent that we get it done :D.> Any feedback from the Origin Trial?During the Origin Trial we did iterate on the API shape significantly, but that more came from discussions in the working group than Origin Trial participant feedback (who are themselves also in the working group, so some overlap).From our Origin Trial partners, we mostly heard that the overall experience is working for them and that they're really excited to be able to build lower-friction authentication solutions in the payments space!
On Wed, 1 Sept 2021 at 10:26, Yoav Weiss <yoav...@chromium.org> wrote:
Thanks for working on this! This seems like an important problem to solve. (and one which impacted me as a user)
On Fri, Aug 27, 2021 at 4:04 PM Stephen Mcgruer <smcg...@chromium.org> wrote:
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CADY3Maf_i31Fw0VLVbaLfmvNDS1kqWb-RqbOei_in7O0jXC89Q%40mail.gmail.com.
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/d69add5b-7cf8-4722-a088-252951ae095cn%40chromium.org.
Chris Harrelson
Sep 2, 2021, 3:25:47 PM9/2/21
to Mike West, Alex Russell, blink-dev, Stephen McGruer, Yoav Weiss
LGTM3
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAKXHy%3DfYTyLpiY%3D2KqAXG4FL-f9YRqhMVMAsDHRKugRHZud-Zg%40mail.gmail.com.
Yoav Weiss
Sep 2, 2021, 3:25:50 PM9/2/21
to blink-dev, Mike West, blink-dev, Stephen McGruer, Yoav Weiss, Alex Russell
LGTM3
On Thursday, September 2, 2021 at 9:25:14 PM UTC+2 Mike West wrote:
LGTM2. This has been approved via internal security and privacy review, has gotten substantial developer feedback during OT, and serves a useful purpose.I would ask y'all to pay attention to the TAG in case they provide substantive feedback in the near future. But given that the review was initially filed a year ago, and the conversation stalled in January, I don't think we need to block on their input.-mikeOn Thu, Sep 2, 2021 at 9:19 PM Alex Russell <sligh...@chromium.org> wrote:
LGTM1
On Wednesday, September 1, 2021 at 5:49:12 PM UTC+1 Stephen McGruer wrote:
> and one which impacted me as a userOof! Yes, we'd like to help figure out a way to make that not happen...> What would be the timelines for [the commitment to see through the WPT test suite]?My team will be working on test automation for SPC in Q4 2021. As the ex-lead of WPT in Chromium, I am quite insistent that we get it done :D.> Any feedback from the Origin Trial?During the Origin Trial we did iterate on the API shape significantly, but that more came from discussions in the working group than Origin Trial participant feedback (who are themselves also in the working group, so some overlap).From our Origin Trial partners, we mostly heard that the overall experience is working for them and that they're really excited to be able to build lower-friction authentication solutions in the payments space!
On Wed, 1 Sept 2021 at 10:26, Yoav Weiss <yoav...@chromium.org> wrote:
Thanks for working on this! This seems like an important problem to solve. (and one which impacted me as a user)
On Fri, Aug 27, 2021 at 4:04 PM Stephen Mcgruer <smcg...@chromium.org> wrote:
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscribe@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CADY3Maf_i31Fw0VLVbaLfmvNDS1kqWb-RqbOei_in7O0jXC89Q%40mail.gmail.com.
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscribe@chromium.org.
Stephen Mcgruer
Sep 8, 2021, 11:35:55 AM9/8/21
to Yoav Weiss, blink-dev, Mike West, Alex Russell
Thank you all for the LGTMs (all four of them ;)).
One additional piece of business; having discussed with our partners, we would like to request a 'gapless' transition for our ongoing Origin Trial (that is, skip the required breaking period) to allow an uninterrupted availability for partners. We believe we meet the bar: the API changed significantly from M93, to M94, to M95, such that code written solely for M93-M94 will not work on M95. (So we definitely haven't been avoiding breaking changes!).
On Thu, 2 Sept 2021 at 15:25, Yoav Weiss <yoav...@chromium.org> wrote:
LGTM3
On Thursday, September 2, 2021 at 9:25:14 PM UTC+2 Mike West wrote:
LGTM2. This has been approved via internal security and privacy review, has gotten substantial developer feedback during OT, and serves a useful purpose.I would ask y'all to pay attention to the TAG in case they provide substantive feedback in the near future. But given that the review was initially filed a year ago, and the conversation stalled in January, I don't think we need to block on their input.-mikeOn Thu, Sep 2, 2021 at 9:19 PM Alex Russell <sligh...@chromium.org> wrote:
LGTM1
On Wednesday, September 1, 2021 at 5:49:12 PM UTC+1 Stephen McGruer wrote:
> and one which impacted me as a userOof! Yes, we'd like to help figure out a way to make that not happen...> What would be the timelines for [the commitment to see through the WPT test suite]?My team will be working on test automation for SPC in Q4 2021. As the ex-lead of WPT in Chromium, I am quite insistent that we get it done :D.> Any feedback from the Origin Trial?During the Origin Trial we did iterate on the API shape significantly, but that more came from discussions in the working group than Origin Trial participant feedback (who are themselves also in the working group, so some overlap).From our Origin Trial partners, we mostly heard that the overall experience is working for them and that they're really excited to be able to build lower-friction authentication solutions in the payments space!
On Wed, 1 Sept 2021 at 10:26, Yoav Weiss <yoav...@chromium.org> wrote:
Thanks for working on this! This seems like an important problem to solve. (and one which impacted me as a user)
On Fri, Aug 27, 2021 at 4:04 PM Stephen Mcgruer <smcg...@chromium.org> wrote:
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CADY3Maf_i31Fw0VLVbaLfmvNDS1kqWb-RqbOei_in7O0jXC89Q%40mail.gmail.com.
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
Yoav Weiss
Sep 8, 2021, 11:45:10 AM9/8/21
to Stephen Mcgruer, blink-dev, Mike West, Alex Russell
LGTM for gapless OT transition.
Chris Harrelson
Sep 8, 2021, 11:45:17 AM9/8/21
to Stephen Mcgruer, Yoav Weiss, blink-dev, Mike West, Alex Russell
LGTM for gapless! You've shown lots of evidence of excellent developer engagement, thank you. :)
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CADY3MacRwSiW8Myniddk3QBnhQvv7LS7HebgfJziWVz_tsN_Og%40mail.gmail.com.
Reply all
Reply to author
Forward
0 new messages