Add showOptOut option to spec

[nickburris]

This PR adds spec text for a new showOptOut option in the SecurePaymentConfirmationRequest API. See the original proposal and discussion in #172. This spec change reflects the prototype currently implemented behind a flag in Chrome, which is available via origin trial and used in this test page.

The OptOutError mentioned in this change is being added to WebIDL in https://github.com/whatwg/webidl/pull/1231.

Opt-out web platform test: https://github.com/web-platform-tests/wpt/pull/37012

---

Preview | Diff

[stephenmcgruer]

(cc @jcemer as an fyi)

[stephenmcgruer]

+@ianbjacobs to review as well. Ian - I expect we will want to talk about this one in the WPWG?

[ianbjacobs]

@stephenmcgruer, I will put this on the 8 December agenda.

[ianbjacobs]

Some day I will learn to use GitHub. In the meantime, here were the comments I thought I left:

• The proposal refers to this new feature using both "should" (twice) and "must." I recommend keeping the one "must" requirement and rewriting the other ones to be declarative, such as "provides the developer a way to ask the user agent to provide the user with an opportunity to indicate they wish to opt out of the relying party's storage of information."
• I think the privacy considerations section should speak more directly to the fact that the opt out error lets the caller know the user has credentials, even though the user did not complete an authentication. I recommend including a statement about mechanisms that mitigate this (e.g., the user has taken explicit action via dedicated browser-owned UX).
• Also, there is a "that that" in the proposal; drop one that. :)

[nickburris]

Thanks! See updates to the privacy considerations section.

I think the privacy considerations section should speak more directly to the fact that the opt out error lets the caller know the user has credentials, even though the user did not complete an authentication. I recommend including a statement about mechanisms that mitigate this (e.g., the user has taken explicit action via dedicated browser-owned UX).

In our implementation we actually do not leak this information, since we also show the opt out option on the no-credential-found UX which already exists to mitigate credential probing attacks. I've added text to the privacy considerations section on this, good catch!

[nickburris]

Thanks again! As mentioned we'll leave this open until discussion at WPWG 8 December meeting.

[nickburris]

FYI I made a small change to update the naming convention in the TransactionAutomationMode enum to camelCase, per a recommendation in this comment which I'll follow up with an implementation change.

[stephenmcgruer]

@nickburris - fyi that this PR should also add a reference to the newly added WPT test (see https://github.com/w3c/secure-payment-confirmation/commit/c096e3b4ae4ca52b9c5d2e3cc9d850db64283751 where I landed it as wpt hidden for now; we should un-hide it and move it wherever in the spec seems most relevant!)

[stephenmcgruer]

This was discussed today at the WPWG (minutes), and a resolution was taken to land it (once updated for the WPT test comment). We also heard interest in exploring clearer cancellation states for SPC, which we intend to discuss internally - but consider separate from this PR.

[nickburris]

Sorry about the force push mess, one day I will get rebasing a fork right...

@nickburris - fyi that this PR should also add a reference to the newly added WPT test (see c096e3b where I landed it as wpt hidden for now; we should un-hide it and move it wherever in the spec seems most relevant!)

Done

[stephenmcgruer]

Sorry about the force push mess, one day I will get rebasing a fork right...

No problem! I also just rebased and forced-pushed it again, to pick up a fix I landed in main: https://github.com/w3c/secure-payment-confirmation/commit/06a08c0a82d63a74d699a7d8bb098f69d2f304cd

[stephenmcgruer]

@ianbjacobs - I think we're good to merge here, but will wait on you to confirm before I squash-merge it :)