Relax user activation requirement for authentication#236
Relax user activation requirement for authentication#236stephenmcgruer merged 8 commits intow3c:mainfrom
Conversation
stephenmcgruer
left a comment
There was a problem hiding this comment.
Thanks for the PR Nick! I have some comments I do think need addressing.
During PING review of the pre-CR changes to SPC, the PING raised a concern that removing the user activation requirement (see #236) could lead to sites triggering SPC from a background tab. This PR adds logic to the steps to check if a payment can be made to disallow background tabs (and minimized-windows/etc). It is likely that eventually we will want this specified in Payment Request instead, both because it will be clearer spec text (here we have to refer to a this that is actually from the Payment Request spec), and also because we (in Chrome) already do (afaik) reject Payment Requests from background tabs. (Which is allowable by abusing the Payment Request spec text that says a user agent may reject show() for any security reason). Fixes #237 Co-authored-by: Jeffrey Yasskin <jyasskin@gmail.com>
|
Thanks for the feedback @stephenmcgruer and @ianbjacobs! PTAL at the latest text. The CI failure seems unrelated to this change, it's a warning about the WPT that was recently added, which we can add a reference to in a separate commit. |
stephenmcgruer
left a comment
There was a problem hiding this comment.
LGTM with some comments
Landed a fix for this straight to |
|
Bleh, it still fails, probably because its using the PR's |
ianbjacobs
left a comment
There was a problem hiding this comment.
Overall this looks good. The nature of my most recent suggestion is to not refer to a "user activation requirement" because it is no longer a requirement of the specification. I think it's fine to say things like "by not requiring user activation" or "the user agent may require user activation." But there's no requirement in the specification anymore. Hence, my comment is primarily editorial.
|
Thanks! Addressed all comments and rebased to fix CI, this should be good to go now! |
|
Still LGTM, thanks Nick. |
ianbjacobs
left a comment
There was a problem hiding this comment.
Hi @nickburris,
This is almost good to go. My suggested last edits are to remove the notion of "change." Once this is merged, new readers will not perceive that anything has changed, and so I suggest in two places removing that verbiage. Otherwise looks good to go!
Co-authored-by: ianbjacobs <ij@w3.org>
SHA: 72fc2b7 Reason: push, by stephenmcgruer Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
SHA: 72fc2b7 Reason: push, by stephenmcgruer Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
This gives the user agent the ability to relax the user activation requirement on the PaymentRequest.show() method. This spec change largely follows the relevant change outlined in Secure Payment Confirmation: w3c/secure-payment-confirmation#236
See issue #216 for context. This removes the only reference to user activation for SPC authentication, and adds some spec text giving the user agent the option to skip or relax the user activation requirement in the
PaymentRequest.show()steps.Preview | Diff