-
Notifications
You must be signed in to change notification settings - Fork 39
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[PING] Only allow triggering authentication from a foreground tab #237
Comments
I think this makes sense, a few thoughts:
|
Jeffrey linked me to https://html.spec.whatwg.org/multipage/interaction.html#page-visibility as the concept we probably want to work from |
The show() method [1] algorithm includes this: If document is not [fully active](https://html.spec.whatwg.org/multipage/document-sequences.html#fully-active), then return [a promise rejected with](https://webidl.spec.whatwg.org/#a-promise-rejected-with) an "[AbortError](https://webidl.spec.whatwg.org/#aborterror)" [DOMException](https://webidl.spec.whatwg.org/#idl-DOMException). It does not sound like that suffices (no mention of page-visibility). |
During PING review of the pre-CR changes to SPC, the PING raised a concern that removing the user activation requirement (see #236) could lead to sites triggering SPC from a background tab. This PR adds logic to the steps to check if a payment can be made to disallow background tabs (and minimized-windows/etc). It is likely that eventually we will want this specified in Payment Request instead, both because it will be clearer spec text (here we have to refer to a this that is actually from the Payment Request spec), and also because we (in Chrome) already do (afaik) reject Payment Requests from background tabs. (Which is allowable by abusing the Payment Request spec text that says a user agent may reject show() for any security reason). Fixes #237 Co-authored-by: Jeffrey Yasskin <[email protected]>
@samuelweiler, we've updated the specification based on the PING review. If satisfied, please do the relevant label management. :) Thank you! |
During today's PING discussion and review of the changes to SPC, the PING raised a concern that removing the user activation requirement could lead to sites triggering SPC from a background tab. This could confuse users, especially as technically the spec doesn't require a tab-modal dialog (Chrome just implements SPC as a tab-modal UI, which I think any reasonable browser would, but it isn't enforced).
PING has asked that we add a normative step that SPC authentication should fail if the current tab is not foreground.
The text was updated successfully, but these errors were encountered: