PaymentInstruments is the Web API that backs non-JIT install of payment apps (see https://w3c.github.io/payment-handler/). It was designed with the assumption that the browser would store the actual payment instrument details, which has not turned out to be true, and has some privacy leaks. It also has not shipped on any other browser, not have we seen any interest from other browser vendors. As such, we are interested in deprecating and removing the API.
The PaymentInstruments.set() method allows an attacker website to store arbitrary data, which can later be retrieved via PaymentInstruments.get() potentially in a third-party context. For example, the user visits https://tracker.example, which generates and stores a UUID for that user via PaymentInstruments.set(key, UUID). Later, the user visits https://site.example, which opens an iframe for https://tracker.example. That iframe calls PaymentInstruments.get(key) and can retrieve the UUID, thus allowing https://tracker.example to know which user it is. Given the lack of uptake in PaymentInstruments.set(), versus the more common JIT-install path, as well as the overly powerful nature of the API, we propose to remove PaymentInstruments entirely. (PaymentInstruments was designed with the belief that the browser would know about individual payment methods (e.g., credit cards) rather than payment apps, hence the need to store/retrieve arbitrary information.)
Standard DevTools debugging.
Would like to remove in M108.
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAMMzaWGzus%3DU48U06m-gk7_2G6Wnhn59UJXLi9xW9uz5%2BEWQuA%40mail.gmail.com.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOMQ%2Bw8_gN61x4ijCz_Dz433Lf8B-Vbi0rrtKjUFnXJ1Lw__SQ%40mail.gmail.com.
Hi Mike,> do we have any reason to believe there are consumers of this API who have disabled telemetry, i.e. maybe in enterprise contexts?
We don't have any indications that this could be happening.> do we know how these few sites who are using the API... are using the API? Does any real-world usage show up in HTTP Archive?Found 2 websites in HTTP Archive:
- A payment app website that also uses a JIT install for payment handlers.
- A payment app website that installs a payment handler when you visit their home page, but the code looks more like a demo because of hard-coded strings.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAMMzaWH6hkEcc3yx0%3DhP%2Bup7gHw1KeS5KW_hi0YbU9t7oi1yVA%40mail.gmail.com.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/a32ca941-66c4-6267-f34b-0ea67c968153%40chromium.org.