Skip to content

[Spec] Only allow SPC authentication if in a foreground tab#238

Merged
stephenmcgruer merged 3 commits intomainfrom
smcgruer/require-foreground
Apr 13, 2023
Merged

[Spec] Only allow SPC authentication if in a foreground tab#238
stephenmcgruer merged 3 commits intomainfrom
smcgruer/require-foreground

Conversation

@stephenmcgruer
Copy link
Collaborator

@stephenmcgruer stephenmcgruer commented Apr 11, 2023
edited
Loading

During PING review of the pre-CR changes to SPC, the PING raised a concern that removing the user activation requirement (see #236) could lead to sites triggering SPC from a background tab. This PR adds logic to the steps to check if a payment can be made to disallow background tabs (and minimized-windows/etc).

It is likely that eventually we will want this specified in Payment Request instead, both because it will be clearer spec text (here we have to refer to a this that is actually from the Payment Request spec), and also because we (in Chrome) already do (afaik) reject Payment Requests from background tabs. (Which is allowable by abusing the Payment Request spec text that says a user agent may reject show() for any security reason).

  • WPT tests - not yet landed
  • Chromium implementation - already done, Chromium doesn't allow Payment Request in a background tab already today
  • Other browsers - N/A, no other browser currently implementing SPC.

Fixes #237

Preview | Diff

@stephenmcgruer stephenmcgruer mentioned this pull request Apr 11, 2023
Merged
@stephenmcgruer stephenmcgruer force-pushed the smcgruer/require-foreground branch from ce4a6e0 to 04a1cf3 Compare April 11, 2023 15:55
@stephenmcgruer stephenmcgruer changed the title [WIP] Add normative text to only allow show() if in foreground tab [Spec] Only allow SPC authentication if in a foreground tab Apr 11, 2023
@stephenmcgruer stephenmcgruer marked this pull request as ready for review April 11, 2023 16:05
@stephenmcgruer
Copy link
Collaborator Author

stephenmcgruer commented Apr 11, 2023

cc @jyasskin - do you know if I'm holding traversable navigable (and system visibility state) properly here? 🤣

jyasskin
jyasskin reviewed Apr 11, 2023
View reviewed changes
ianbjacobs
ianbjacobs reviewed Apr 11, 2023
View reviewed changes
@ianbjacobs
Copy link
Collaborator

ianbjacobs commented Apr 11, 2023

@stephenmcgruer, thanks for creating this. I agree with the direction and will support updated text based on the @jyasskin comments.

@ianbjacobs ianbjacobs mentioned this pull request Apr 11, 2023
Merged
jyasskin
jyasskin approved these changes Apr 12, 2023
View reviewed changes
@stephenmcgruer @jyasskin
Update spec.bs
799f55a 
Co-authored-by: Jeffrey Yasskin <jyasskin@gmail.com>
stephenmcgruer added a commit to web-platform-tests/wpt that referenced this pull request Apr 12, 2023
@stephenmcgruer
[SPC] Add test for SPC authentication in a hidden document
4b4e9f1 
See w3c/secure-payment-confirmation#238
@stephenmcgruer stephenmcgruer mentioned this pull request Apr 12, 2023
Merged
@stephenmcgruer
Copy link
Collaborator Author

stephenmcgruer commented Apr 13, 2023

So I suspect we can fairly easily move this to Payment Request, but in the interest of unblocking the PR for user activationless SPC I'm going to merge this as-is for now. If/when we land the equivalent in Payment Request we can drop this text.

@stephenmcgruer stephenmcgruer merged commit 4a9d883 into main Apr 13, 2023
stephenmcgruer added a commit to web-platform-tests/wpt that referenced this pull request Apr 13, 2023
@stephenmcgruer
[SPC] Add test for SPC authentication in a hidden document (#39507)
ef35911 
See w3c/secure-payment-confirmation#238
github-actions bot added a commit that referenced this pull request Apr 13, 2023
@stephenmcgruer @github-actions
[Spec] Only allow SPC authentication if in a foreground tab (#238)
1322422 
SHA: 4a9d883
Reason: push, by stephenmcgruer

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
github-actions bot added a commit that referenced this pull request Apr 13, 2023
@stephenmcgruer @github-actions
[Spec] Only allow SPC authentication if in a foreground tab (#238)
38a3d59 
SHA: 4a9d883
Reason: push, by stephenmcgruer

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
@stephenmcgruer stephenmcgruer deleted the smcgruer/require-foreground branch April 17, 2023 14:35
moz-v2v-gh pushed a commit to mozilla/gecko-dev that referenced this pull request Apr 18, 2023
@stephenmcgruer @moz-wptsync-bot
Bug 1827723 [wpt PR 39507] - [SPC] Add test for SPC authentication in…
1569707 
… a hidden document, a=testonly

Automatic update from web-platform-tests
[SPC] Add test for SPC authentication in a hidden document (#39507)

See w3c/secure-payment-confirmation#238
--

wpt-commits: ef359117ec74b43acb8472534a43f71e23b4abca
wpt-pr: 39507
stephenmcgruer added a commit that referenced this pull request May 30, 2023
@stephenmcgruer
Revert "[Spec] Only allow SPC authentication if in a foreground tab (#…
aa97104 
…238)"

This reverts commits 4a9d883 and
fd37ebe

This behavior is now spec'd in Payment Request itself as of
w3c/payment-request@cce8f5e,
and so does not need to additionally be spec'd in SPC.
@stephenmcgruer stephenmcgruer mentioned this pull request May 30, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@nickburris nickburris nickburris approved these changes

@ianbjacobs ianbjacobs ianbjacobs approved these changes

+1 more reviewer

@jyasskin jyasskin jyasskin approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[PING] Only allow triggering authentication from a foreground tab

4 participants

@stephenmcgruer @ianbjacobs @jyasskin @nickburris