Contact emailsnbu...@chromium.org, smcg...@chromium.org, ic...@chromium.org
To help developers reduce friction in Secure Payment Confirmation flows, we are removing the user activation requirement. Spam and clickjacking mitigations are put in place to mitigate security and privacy risks with this change (see design doc).
TAG review statusNot applicable
Interoperability and CompatibilityGecko
: No signalWebKit
: No signalWeb developers
: We've received direct feedback from web developers that they would be able to reduce friction in their redirect-based payment flows if SPC could be initiated without a user activation.Other signals
WebView application risks
Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications?
Existing debuggability for SPC; e.g. a specific SecurityError is thrown when an activationless show() call is not allowed (see this test page
Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, Chrome OS, Android, and Android WebView)?No, only features where SPC is already shipped: Windows, Mac, AndroidYes (to be updated with implementation)
Requires code in //chrome?False
Anticipated spec changeshttps://github.com/w3c/secure-payment-confirmation/pull/236
Link to entry on the Chrome Platform Statushttps://chromestatus.com/feature/5197059260416000