To help developers reduce friction in Secure Payment Confirmation flows, we are removing the user activation requirement. Spam and clickjacking mitigations are put in place to mitigate security and privacy risks with this change (see design doc).
Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications?
None
Shipping on desktop | 114 |
Shipping on Android | 114 |
Contact emails
nbu...@chromium.org, smcg...@chromium.org, ic...@chromium.orgSpecification
https://github.com/w3c/secure-payment-confirmation/pull/236Design docs
https://docs.google.com/document/d/1DW4hGyuVzcN8sE8TC3YOkg6xO4XpUGZQNxcHgfMXVwASummary
To help developers reduce friction in Secure Payment Confirmation flows, we are removing the user activation requirement. Spam and clickjacking mitigations are put in place to mitigate security and privacy risks with this change (see design doc).
Blink component
Blink>PaymentsTAG review
NoneTAG review status
Not applicableRisks
Interoperability and Compatibility
Gecko: No signal
WebKit: No signal
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CADvKJHN9Rp4gYYZJ4Jx9iwMiA3jS%2BagC_7L5dWkEGrWo8OLX4w%40mail.gmail.com.
On Mon, Apr 17, 2023 at 9:42 PM Nick Burris <nbu...@chromium.org> wrote:
SummaryTo help developers reduce friction in Secure Payment Confirmation flows, we are removing the user activation requirement. Spam and clickjacking mitigations are put in place to mitigate security and privacy risks with this change (see design doc).
Blink componentBlink>Payments
TAG reviewNone
TAG review statusNot applicable
Risks
Interoperability and CompatibilityGecko: No signal
WebKit: No signal
Have we asked for a signal? Are they shipping this feature?
Web developers: We've received direct feedback from web developers that they would be able to reduce friction in their redirect-based payment flows if SPC could be initiated without a user activation.
Other signals:
WebView application risksDoes this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications?
None
DebuggabilityExisting debuggability for SPC; e.g. a specific SecurityError is thrown when an activationless show() call is not allowed (see this test page).
Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, Chrome OS, Android, and Android WebView)?No, only features where SPC is already shipped: Windows, Mac, Android
Is this feature fully tested by web-platform-tests?Yes (to be updated with implementation)
Flag name--enable-blink-features=SecurePaymentConfirmationActivationlessShow
Requires code in //chrome?False
Estimated milestonesShipping on desktop114Shipping on Android114
Anticipated spec changes
https://github.com/w3c/secure-payment-confirmation/pull/236
Link to entry on the Chrome Platform Statushttps://chromestatus.com/feature/5197059260416000
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscribe@chromium.org.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/6fd8eabf-2e7e-4af3-94cf-57fe5a555483n%40chromium.org.
LGTM3
LGTM2
DebuggabilityExisting debuggability for SPC; e.g. a specific SecurityError is thrown when an activationless show() call is not allowed (see this test page).
Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, Chrome OS, Android, and Android WebView)?No, only features where SPC is already shipped: Windows, Mac, Android
Is this feature fully tested by web-platform-tests?Yes (to be updated with implementation)
Flag name--enable-blink-features=SecurePaymentConfirmationActivationlessShow
Requires code in //chrome?False
Estimated milestonesShipping on desktop114Shipping on Android114
Anticipated spec changes
https://github.com/w3c/secure-payment-confirmation/pull/236
Link to entry on the Chrome Platform Statushttps://chromestatus.com/feature/5197059260416000
This intent message was generated by Chrome Platform Status.
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscribe@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CADvKJHN9Rp4gYYZJ4Jx9iwMiA3jS%2BagC_7L5dWkEGrWo8OLX4w%40mail.gmail.com.
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/6fd8eabf-2e7e-4af3-94cf-57fe5a555483n%40chromium.org.
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAL5BFfW3R7Ax-OYG7nu9%3DBOW6n5vBM6QFzTYdtMuxvZWJW8%3DKA%40mail.gmail.com.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/6fd8eabf-2e7e-4af3-94cf-57fe5a555483n%40chromium.org.
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscribe@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAL5BFfW3R7Ax-OYG7nu9%3DBOW6n5vBM6QFzTYdtMuxvZWJW8%3DKA%40mail.gmail.com.