[Spec] Only allow SPC authentication if in a foreground tab #238
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
stephenmcgruer
force-pushed
the
smcgruer/require-foreground
branch
from
ce4a6e0 to
04a1cf3
Compare
stephenmcgruer
changed the title
|
cc @jyasskin - do you know if I'm holding |
jyasskin
reviewed
Apr 11, 2023
ianbjacobs
reviewed
Apr 11, 2023
|
@stephenmcgruer, thanks for creating this. I agree with the direction and will support updated text based on the @jyasskin comments. |
ianbjacobs
approved these changes
Apr 12, 2023
nickburris
approved these changes
Apr 12, 2023
jyasskin
approved these changes
Apr 12, 2023
Co-authored-by: Jeffrey Yasskin <[email protected]>
stephenmcgruer
added a commit
to web-platform-tests/wpt
that referenced
this pull request
Apr 12, 2023
|
So I suspect we can fairly easily move this to Payment Request, but in the interest of unblocking the PR for user activationless SPC I'm going to merge this as-is for now. If/when we land the equivalent in Payment Request we can drop this text. |
stephenmcgruer
added a commit
to web-platform-tests/wpt
that referenced
this pull request
Apr 13, 2023
github-actions bot
added a commit
that referenced
this pull request
Apr 13, 2023
SHA: 4a9d883 Reason: push, by stephenmcgruer Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
github-actions bot
added a commit
that referenced
this pull request
Apr 13, 2023
SHA: 4a9d883 Reason: push, by stephenmcgruer Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
moz-v2v-gh
pushed a commit
to mozilla/gecko-dev
that referenced
this pull request
Apr 18, 2023
… a hidden document, a=testonly Automatic update from web-platform-tests [SPC] Add test for SPC authentication in a hidden document (#39507) See w3c/secure-payment-confirmation#238 -- wpt-commits: ef359117ec74b43acb8472534a43f71e23b4abca wpt-pr: 39507
stephenmcgruer
added a commit
that referenced
this pull request
May 30, 2023
…238)" This reverts commits 4a9d883 and fd37ebe This behavior is now spec'd in Payment Request itself as of w3c/payment-request@cce8f5e, and so does not need to additionally be spec'd in SPC.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
During PING review of the pre-CR changes to SPC, the PING raised a concern that removing the user activation requirement (see #236) could lead to sites triggering SPC from a background tab. This PR adds logic to the steps to check if a payment can be made to disallow background tabs (and minimized-windows/etc).
It is likely that eventually we will want this specified in Payment Request instead, both because it will be clearer spec text (here we have to refer to a
thisthat is actually from the Payment Request spec), and also because we (in Chrome) already do (afaik) reject Payment Requests from background tabs. (Which is allowable by abusing the Payment Request spec text that says a user agent may reject show() for any security reason).Fixes #237
Preview | Diff