Intent to Experiment: Web Payment API - connect-src CSP policy

[Rouslan Solomakhin]

Contact emails

smcg...@chromium.org, rou...@chromium.org

Specification

https://www.w3.org/TR/payment-method-manifest/#processing-model

Summary

Deprecate the ability for Web Payment API to bypass the connect-src CSP policy when fetching the manifest. After this deprecation, a site's connect-src CSP policy will need to allow for the payment method URL specified in a PaymentRequest call, as well as any other URLs that the method chains to fetch its manifest.

Blink component

Blink>Payments

TAG review status

Not applicable

Risks

Interoperability and Compatibility

Gecko: N/A. Does not currently implement or ship PaymentHandler.
WebKit: N/A. Does not currently implement or ship PaymentHandler.
Web developers: No signals

WebView application risks

None: PaymentHanlders are not supported in WebView.

Debuggability

CSP violations print console error messages.

Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, Chrome OS, Android, and Android WebView)?

No. PaymentHandlers are not supported on WebView.

Is this feature fully tested by web-platform-tests?

No

Flag name

#web-payment-api-csp

Requires code in //chrome?

False

Tracking bug

https://crbug.com/1349091

Launch bug

https://crbug.com/1349093

Estimated milestones

Origin Trial first: 108

Origin Trial last: 110

Link to entry on the Chrome Platform Status

https://chromestatus.com/feature/6286595631087616

Links to previous Intent discussions

Intent to prototype.

This intent message was generated by Chrome Platform Status.

[Yoav Weiss]

So is the plan to get properties currently using PaymentHandler to experiment with this and see if there's breakage? Should we initially ship a "report only" mode that would help all properties know that CSP errors may be happening soon?

--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAMMzaWFUbSFNuCbyefZKuSDmFtOd%3DD5xsOpVE0p6pwoxVPgRog%40mail.gmail.com.

[Rouslan Solomakhin]

> So is the plan to get properties currently using PaymentHandler to experiment with this and see if there's breakage?

Yes, that's the plan.

> Should we initially ship a "report only" mode that would help all properties know that CSP errors may be happening soon?

Yes, we certainly could do that, if that's your recommendation. Assuming that does not require a Blink intent, we can start doing that in M108. Should we run the opt-in OT for enforcing CSP in M 110--112 in that case?

[Stephen Mcgruer]

If we are going to treat this like a deprecation instead (which is what a report only mode sounds to me?), then it makes more sense to me to skip an OT entirely. That is:

- M108 - begin deprecation period, developers get warnings

- M111 (for example) - enable behavior, start reverse origin trial if necessary for anyone to opt out for a few milestones.

Thoughts Yoav?

To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAMMzaWFXYXBqDjBzC8RnjUmNXQ8apiBAHdAGMV16Pq0F%2BbV-Mg%40mail.gmail.com.

[Yoav Weiss]

That sounds great!

Can you re-send this intent as an intent to deprecate and remove (and change the chrome status name accordingly)? That'd make it easier for the bots and the tools to capture it correctly.

On Wednesday, September 21, 2022 at 3:15:37 PM UTC+2 Stephen McGruer wrote:

If we are going to treat this like a deprecation instead (which is what a report only mode sounds to me?), then it makes more sense to me to skip an OT entirely. That is:

- M108 - begin deprecation period, developers get warnings

- M111 (for example) - enable behavior, start reverse origin trial if necessary for anyone to opt out for a few milestones.

Thoughts Yoav?

On Wed, Sept 21, 2022, 9:06 a.m. Rouslan Solomakhin <rou...@chromium.org> wrote:

> So is the plan to get properties currently using PaymentHandler to experiment with this and see if there's breakage?

Yes, that's the plan.

> Should we initially ship a "report only" mode that would help all properties know that CSP errors may be happening soon?

Yes, we certainly could do that, if that's your recommendation. Assuming that does not require a Blink intent, we can start doing that in M108. Should we run the opt-in OT for enforcing CSP in M 110--112 in that case?

On Wed, Sep 21, 2022 at 1:30 AM Yoav Weiss <yoav...@chromium.org> wrote:

So is the plan to get properties currently using PaymentHandler to experiment with this and see if there's breakage? Should we initially ship a "report only" mode that would help all properties know that CSP errors may be happening soon?

On Tue, Sep 20, 2022 at 6:20 PM Rouslan Solomakhin <rou...@chromium.org> wrote:

Contact emails

smcg...@chromium.org, rouslan@chromium.org

To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscribe@chromium.org.

To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAMMzaWFUbSFNuCbyefZKuSDmFtOd%3DD5xsOpVE0p6pwoxVPgRog%40mail.gmail.com.

--
You received this message because you are subscribed to the Google Groups "blink-dev" group.

To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscribe@chromium.org.

[Rouslan Solomakhin]

> Can you re-send this intent as an intent to deprecate and remove (and change the chrome status name accordingly)?

Resent in https://groups.google.com/a/chromium.org/g/blink-dev/c/mlTnVIovBc0/m/uWMMIM2MCAAJ and updatesd chrome status.

> That'd make it easier for the bots and the tools to capture it correctly.

Is there a good way for me to verify that the bots and the tools have captured the status correctly?

[Yoav Weiss]

On Wed, Sep 21, 2022 at 7:33 PM Rouslan Solomakhin <rou...@chromium.org> wrote:

> Can you re-send this intent as an intent to deprecate and remove (and change the chrome status name accordingly)?

Resent in https://groups.google.com/a/chromium.org/g/blink-dev/c/mlTnVIovBc0/m/uWMMIM2MCAAJ and updatesd chrome status.

> That'd make it easier for the bots and the tools to capture it correctly.

Is there a good way for me to verify that the bots and the tools have captured the status correctly?

Looks like they did (I also see that worked in my ChromeStatus dashboard).

 

On Wednesday, September 21, 2022 at 11:53:45 AM UTC-4 Yoav Weiss wrote:

That sounds great!

Can you re-send this intent as an intent to deprecate and remove (and change the chrome status name accordingly)? That'd make it easier for the bots and the tools to capture it correctly.

On Wednesday, September 21, 2022 at 3:15:37 PM UTC+2 Stephen McGruer wrote:

If we are going to treat this like a deprecation instead (which is what a report only mode sounds to me?), then it makes more sense to me to skip an OT entirely. That is:

- M108 - begin deprecation period, developers get warnings

- M111 (for example) - enable behavior, start reverse origin trial if necessary for anyone to opt out for a few milestones.

Thoughts Yoav?

On Wed, Sept 21, 2022, 9:06 a.m. Rouslan Solomakhin <rou...@chromium.org> wrote:

> So is the plan to get properties currently using PaymentHandler to experiment with this and see if there's breakage?

Yes, that's the plan.

> Should we initially ship a "report only" mode that would help all properties know that CSP errors may be happening soon?

Yes, we certainly could do that, if that's your recommendation. Assuming that does not require a Blink intent, we can start doing that in M108. Should we run the opt-in OT for enforcing CSP in M 110--112 in that case?

On Wed, Sep 21, 2022 at 1:30 AM Yoav Weiss <yoav...@chromium.org> wrote:

So is the plan to get properties currently using PaymentHandler to experiment with this and see if there's breakage? Should we initially ship a "report only" mode that would help all properties know that CSP errors may be happening soon?

On Tue, Sep 20, 2022 at 6:20 PM Rouslan Solomakhin <rou...@chromium.org> wrote:

Contact emails

smcg...@chromium.org, rou...@chromium.org

To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.

To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAMMzaWFUbSFNuCbyefZKuSDmFtOd%3DD5xsOpVE0p6pwoxVPgRog%40mail.gmail.com.

--
You received this message because you are subscribed to the Google Groups "blink-dev" group.

To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.