stephenmcgruer
commented
1 year ago cc @jyasskin - do you know if I'm holding traversable navigable (and system visibility state) properly here? š¤£
Closed stephenmcgruer closed 1 year ago
stephenmcgruer
commented
1 year ago cc @jyasskin - do you know if I'm holding traversable navigable (and system visibility state) properly here? š¤£
ianbjacobs
commented
1 year ago @stephenmcgruer, thanks for creating this. I agree with the direction and will support updated text based on the @jyasskin comments.
stephenmcgruer
commented
1 year ago So I suspect we can fairly easily move this to Payment Request, but in the interest of unblocking the PR for user activationless SPC I'm going to merge this as-is for now. If/when we land the equivalent in Payment Request we can drop this text.
During PING review of the pre-CR changes to SPC, the PING raised a concern that removing the user activation requirement (see https://github.com/w3c/secure-payment-confirmation/pull/236) could lead to sites triggering SPC from a background tab. This PR adds logic to the steps to check if a payment can be made to disallow background tabs (and minimized-windows/etc).
It is likely that eventually we will want this specified in Payment Request instead, both because it will be clearer spec text (here we have to refer to a
thisthat is actually from the Payment Request spec), and also because we (in Chrome) already do (afaik) reject Payment Requests from background tabs. (Which is allowable by abusing the Payment Request spec text that says a user agent may reject show() for any security reason).Fixes https://github.com/w3c/secure-payment-confirmation/issues/237
Preview | Diff