When SPC runs in an iframe, what permissions are required?

[ianbjacobs]

Raised by @Goosth

[stephenmcgruer]

From the browser side, we (Chromium) are likely to require the payments policy (https://w3c.github.io/payment-request/#permissions-policy) or some equivalent for any cross-origin iframe case.

Additionally, outside of the iframe specific question, we will also expect SPC to consume a user activation (e.g. a click), or a capability delegation token if/when that spec matures.

[ianbjacobs]

@stephenmcgruer,

Thank you for the comment on consuming a user activation. Here are three scenarios:

• User clicks "Verify" in confirmation dialog, then does FIDO user presence check (2 gestures)
• User clicks "Verify" in confirmation dialog, but due to previous consent and conditions of this transaction, there is no user presence check required (1 gesture)
• There is no dialog at all (after the "Buy" button click) based on previous consent.

The third scenario is the "Frictionless Checkout" user journey of the scope document. If I understand from your comment, you don't think you would support this use case because there is no user activation. Is that correct?

[stephenmcgruer]

The "Buy" button click is a user activation, so whether or not we support the 'Frictionless Checkout' flow wouldn't fall under that concern. I haven't thought through the full privacy/user-expectation implications of a completely frictionless flow yet though :D.

[stephenmcgruer]

@ianbjacobs - I don't think there's much else to discuss here currently, so I'm going to close this issue. Please feel free to reopen if you think there's still something to be addressed.