show() should consume user activation

marcoscaceres commented 4 years ago

@aestes, @danyao, @rsolomakhin, moving discussion from #885.

HTML has a new activation model. Right now, we presumedly have "transient" activation for show():

window.onclick = () => {
   // set up payment stuff...
   const pay = request.show();
   // Does this succeed or reject? i.e., did .show() "consume" the user activation.
   document.body.requestFullscreen();
}

Presumedly, because of the modal nature of .show() we want to "consume" the activation, so that things like requestFullscreen() would fail if called immediately after .show().

rsolomakhin commented 4 years ago

@jdtoupin Do you have a product opinion here? My vote is to consume user activation, so a click can trigger only one powerful feature. Consuming would also make click-jacking more difficult.

EDIT: The right @jdtoupin

jdtoupin commented 4 years ago

Yes, consuming user activation makes sense to me.

marcoscaceres commented 4 years ago

Ok, makes sense to me too.

As long as it's ok with @aestes (and we are not breaking anything with ApplePay... which I don't imagine we are), then I'll send a PR to add this and also update Firefox's implementation to match.

marcoscaceres commented 4 years ago

@aestes, when possible, please let me know if the above is ok 🙏.

w3c / payment-request

show() should consume user activation #886