PSA: Chrome removing 'rp' field from output SPC cryptogram (replaced by 'rpId')

Hey folks,

As you may recall, the working group resolved in issue 191
<https://github.com/w3c/secure-payment-confirmation/issues/191> to rename
the 'rp' parameter in the output CollectedClientAdditionalPaymentData
<https://w3c.github.io/secure-payment-confirmation/#sctn-collectedclientadditionalpaymentdata-dictionary>
cryptogram
dictionary to 'rpId', in order to align with WebAuthn. On the
implementation side, we added 'rpId' to the dictionary in Chrome M107
(reached Stable channel on Oct 25, 2022), and we are now preparing to remove
the old 'rp' field
<https://groups.google.com/u/1/a/chromium.org/g/blink-dev/c/_KGnT-jJyPA> in
M113 (will reach Stable channel around Apr 26, 2023).

You can preview the new behavior (with the 'rp' field removed) by passing
--enable-features=SecurePaymentConfirmationRemoveRpField to Chrome Canary
(in any build after this CL
<https://chromium-review.googlesource.com/c/chromium/src/+/4143835> has
rolled out)

*Action required*, if you process SPC-produced cryptograms either in your
client or server code: instead of reading 'rp' from the
CollectedClientAdditionalPaymentData dictionary, read the 'rpId' field
instead. The field contents are identical.

This change can be made in your code *today*, and will work for any
cryptogram produced by Chrome M107 or newer.

Thanks,
Stephen

-- 
smcgruer • he / him

Received on Friday, 13 January 2023 14:08:54 UTC