Re: [w3c/payment-handler] Open Window Algorithm and tracking through 1ps (#351) from Danyao Wang on 2019-11-07 (public-webpayments-specs@w3.org from November 2019)

From: Danyao Wang <notifications@github.com>
Date: Thu, 07 Nov 2019 15:22:23 -0800
To: w3c/payment-handler <payment-handler@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3c/payment-handler/issues/351/551312003@github.com>

Thanks @snyderp for raising these thoughts. I understand the importance of locking down 3P iframes. Where I respectfully disagree is that the payment handler is not a 3P context the same way iframe is. It's more like a nicely positioned popup because:

1. It can only be triggered with a user gesture, unlike iframe or redirect which happen automatically at the embedder context's discretion.
2. It contains a URL bar that shows the origin the user is interacting with, unlike iframe where the origin is hidden.
3. The embedder context cannot play with its visibility or overlay other content on top of it, unlike iframe which can be made transparent or hidden behind other layers.

I'd argue that the payment handler window is not fundamentally different from a new tab that's triggered by the user clicking on an `<a href="..." target="_blank">`, so it shouldn't be subject to the storage partition ideas for 3P iframes.

> Again, my concern is not whether the API would allow people to long in with multiple identities, its that the spec, as written, would allow the payment handler to link those multiple presented identities together (since they're all happening in the same storage context)

If I click on a link to ewallet.com from store1.com, log in with account1, and then click on a link to ewallet.com from store2.com and log in with account2, ewallet.com can also link my two identities. Being able to follow links is a fundamental property of the web. The only question is, how different is the payment handler pattern different from following links? I'd argue it's pretty similar, because user sees a "Pay with eWallet" button, clicks on it. It shouldn't be a surprise to them that we load a page from ewallet.com.

Other features of the Payment Handler API arguably needs more thought. For example, the Just-in-Time Install feature causes the browser to download a manifest from a payment app origin that's specified by the merchant, without user guesture. However, Chrome's implementation doesn't send any cookies on this request. I believe we also don't allow setting any cookie on the response, but need to check. If it does, it's a bug and we'll fix it.

A bad actor can trick the user into clicking on something that opens a payment handler window to accomplish tracking. But the effect is very intrusive, so it doesn't seem to me that it will be a very successful exploit. Also browsers implementing the payment handler window can monitor how origins use Payment Request API. If there's good reason to believe this API is not used for legitimate e-commerce use cases and can prevent these attacks similar to how Safe Browsing works today.

--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/payment-handler/issues/351#issuecomment-551312003

Received on Thursday, 7 November 2019 23:22:25 UTC