Intent to Prototype + Ship: User Activation Requirement for SPC Credential Enrollment

77 views
Skip to first unread message

Nick Burris

unread,
May 5, 2022, 12:23:55 PMMay 5
to blink-dev, Rouslan Solomakhin, Stephen McGruer

Contact emails

nbu...@chromium.org, rou...@chromium.org, smcg...@chromium.org


Explainer

SPC explainer: https://github.com/w3c/secure-payment-confirmation/blob/main/explainer.md


Specification

SPC specification: https://w3c.github.io/secure-payment-confirmation/


Design docs

N/A


Summary

This intent is to add a user activation requirement for Secure Payment Confirmation (SPC) credential enrollment in a cross-origin iframe to help mitigate a privacy issue (see w3c/secure-payment-confirmation#128 for discussion of a potential identity tracking attack).


Original feature summary: Secure payment confirmation augments the payment authentication experience on the web with the help of WebAuthn. The feature adds a new 'payment' extension to WebAuthn, which allows a relying party such as a bank to create a PublicKeyCredential that can be queried by any merchant origin as part of an online checkout via the Payment Request API using the 'secure-payment-confirmation' payment method.


Blink component

Blink>Payments


TAG review

SPC TAG review: https://github.com/w3ctag/design-reviews/issues/675


TAG review status

Closed (Resolution: satisfied)


Interoperability and Compatibility

While adding a new requirement for user activation is technically a breaking change, we are confident in this change as the feature is expected to be used in a payment flow where the user has provided some form of input to continue. We have confirmed with the external partners who are using this feature that they do currently have a user activation.


Gecko: No signal (https://github.com/mozilla/standards-positions/issues/570) Historically (>1 year old) positive signal from informal conversation in W3C Payment Handler meetings. However Firefox have since not been involved in the API development.


WebKit: No signal (https://lists.webkit.org/pipermail/webkit-dev/2021-August/031956.html)


Web developers: Positive (https://lists.w3.org/Archives/Public/public-payments-wg/2021Aug/0005.html) Support and involvement in API development from multiple web developers and payment industry partners. Both Stripe and AirBnB have publicly stated that they have either completed or are in the process of prototyping/experimenting with SPC



Debuggability

Existing devtools debugging features should cover SPC (e.g. breakpoints, console, etc)


Is this feature fully tested by web-platform-tests?

Yes, coverage for the user activation requirement will be added to the existing test suite:

https://wpt.fyi/results/secure-payment-confirmation?label=master&label=experimental&aligned


Flag name

N/A


Requires code in //chrome?

No


Tracking bug

User activation bug: https://crbug.com/1322603

Original feature bug: https://crbug.com/1124927


Launch bug

Original SPC launch bug: https://bugs.chromium.org/p/chromium/issues/detail?id=1236570

We believe this is a small enough change to an existing feature that it doesn’t require its own launch bug.


Link to entry on the Chrome Platform Status

https://chromestatus.com/guide/edit/5104475634139136


Links to previous Intent discussions

Intent to Prototype v1: https://groups.google.com/a/chromium.org/d/topic/blink-dev/myUR5gyd5Js/discussion

Intent to Experiment v2: https://groups.google.com/a/chromium.org/g/blink-dev/c/6Dd00NJ-td8

Intent to Ship v2: https://groups.google.com/u/1/a/chromium.org/g/blink-dev/c/U5K69fbA6SU



This intent message was generated by Chrome Platform Status.


Mike Taylor

unread,
May 10, 2022, 2:01:28 PMMay 10
to Nick Burris, blink-dev, Rouslan Solomakhin, Stephen McGruer
LGTM1 - this seems like a useful change. Thanks for involving partners.
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CADvKJHND4_zciu4u2EyuXrfr%2Bk9TmUQyKbeYJy%2BsuUtH3UF7_w%40mail.gmail.com.


Mike West

unread,
May 11, 2022, 1:27:29 AMMay 11
to Mike Taylor, Nick Burris, blink-dev, Rouslan Solomakhin, Stephen McGruer

Yoav Weiss

unread,
May 11, 2022, 2:48:50 AMMay 11
to Mike West, Mike Taylor, Nick Burris, blink-dev, Rouslan Solomakhin, Stephen McGruer

Joe Medley

unread,
May 12, 2022, 11:04:58 AMMay 12
to Yoav Weiss, Mike West, Mike Taylor, Nick Burris, blink-dev, Rouslan Solomakhin, Stephen McGruer
Nick,

When are you hoping to ship?

Joe
Joe Medley | Technical Writer, Chrome DevRel | jme...@google.com | 816-678-7195
If an API's not documented it doesn't exist.


Nick Burris

unread,
May 12, 2022, 11:12:37 AMMay 12
to Joe Medley, Yoav Weiss, Mike West, Mike Taylor, Nick Burris, blink-dev, Rouslan Solomakhin, Stephen McGruer
Thanks all! Joe, this change has now landed in M103.

Joe Medley

unread,
May 12, 2022, 12:10:08 PMMay 12
to Nick Burris, Yoav Weiss, Mike West, Mike Taylor, Nick Burris, blink-dev, Rouslan Solomakhin, Stephen McGruer
Thanks.

Joe Medley | Technical Writer, Chrome DevRel | jme...@google.com | 816-678-7195
If an API's not documented it doesn't exist.

Reply all
Reply to author
Forward
0 new messages