nbu...@chromium.org, rou...@chromium.org, smcg...@chromium.org
SPC explainer: https://github.com/w3c/secure-payment-confirmation/blob/main/explainer.md
SPC specification: https://w3c.github.io/secure-payment-confirmation/
This intent is to add a user activation requirement for Secure Payment Confirmation (SPC) credential enrollment in a cross-origin iframe to help mitigate a privacy issue (see w3c/secure-payment-confirmation#128 for discussion of a potential identity tracking attack).
Original feature summary: Secure payment confirmation augments the payment authentication experience on the web with the help of WebAuthn. The feature adds a new 'payment' extension to WebAuthn, which allows a relying party such as a bank to create a PublicKeyCredential that can be queried by any merchant origin as part of an online checkout via the Payment Request API using the 'secure-payment-confirmation' payment method.
SPC TAG review: https://github.com/w3ctag/design-reviews/issues/675
Closed (Resolution: satisfied)
While adding a new requirement for user activation is technically a breaking change, we are confident in this change as the feature is expected to be used in a payment flow where the user has provided some form of input to continue. We have confirmed with the external partners who are using this feature that they do currently have a user activation.
Gecko: No signal (https://github.com/mozilla/standards-positions/issues/570) Historically (>1 year old) positive signal from informal conversation in W3C Payment Handler meetings. However Firefox have since not been involved in the API development.
WebKit: No signal (https://lists.webkit.org/pipermail/webkit-dev/2021-August/031956.html)
Web developers: Positive (https://lists.w3.org/Archives/Public/public-payments-wg/2021Aug/0005.html) Support and involvement in API development from multiple web developers and payment industry partners. Both Stripe and AirBnB have publicly stated that they have either completed or are in the process of prototyping/experimenting with SPC
Existing devtools debugging features should cover SPC (e.g. breakpoints, console, etc)
Yes, coverage for the user activation requirement will be added to the existing test suite:
User activation bug: https://crbug.com/1322603
Original feature bug: https://crbug.com/1124927
Original SPC launch bug: https://bugs.chromium.org/p/chromium/issues/detail?id=1236570
We believe this is a small enough change to an existing feature that it doesn’t require its own launch bug.
Intent to Prototype v1: https://groups.google.com/a/chromium.org/d/topic/blink-dev/myUR5gyd5Js/discussion
Intent to Experiment v2: https://groups.google.com/a/chromium.org/g/blink-dev/c/6Dd00NJ-td8
Intent to Ship v2: https://groups.google.com/u/1/a/chromium.org/g/blink-dev/c/U5K69fbA6SU
This intent message was generated by Chrome Platform Status.
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CADvKJHND4_zciu4u2EyuXrfr%2Bk9TmUQyKbeYJy%2BsuUtH3UF7_w%40mail.gmail.com.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/069483ff-978e-77af-7baf-c5099c20ba6d%40chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAKXHy%3Ddy6obPhwgXbuPA7dnX_A2sqrqGPk7BhVE_UUk0byCE5w%40mail.gmail.com.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAL5BFfUPv7%3DDHz3cWmpjs8wWVTx_or4J2aQ2OLay1VVkFhsBMw%40mail.gmail.com.