Re: [w3c/payment-handler] Payment Handler window `.focused` field (#307) from Adrian Hope-Bailie on 2018-08-03 (public-webpayments-specs@w3.org from August 2018)

From: Adrian Hope-Bailie <notifications@github.com>
Date: Fri, 03 Aug 2018 04:03:45 -0700
To: w3c/payment-handler <payment-handler@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3c/payment-handler/issues/307/410220470@github.com>

There is a security concern that I discussed recently with @marcoscaceres regarding openWindow that may be relevant here.

It is important that, even though the PH window is "special", it doesn't appear so the user. i.e. They should never be led to believe that somehow the PH window is privileged or worse, native browser chrome.

A suggestion was that the PH window should open a new window exactly the way clicking a `<a target="_blank">` element would do.

I agree that this window would then have focus.

The question I see in this issue is whether or not the merchant window's `.focused` property is also still `true`.

My suggestion would be that when the payment sheet appears that the merchant window is no longer in focus, i.e. `.focused === false` (maybe even blurred or overlaid with a 50% opacity mask) and is somehow locked down to prevent it showing anything new "around" the payment sheet that may somehow mislead users.

If the user invokes a PH that calls `openWindow()` this opens a new window and the user interacts with this window. The window should also be locked down to prevent the user navigating away from the PH (address bar frozen, back/forward disabled).

If the user switches back to the merchant window they should only be able to interact with the payment sheet which is still overlaid over the website and they should have only a single available button/element they can invoke and that is a `Cancel` that will cause the PR promise to reject or return the user to the payment sheet to pick another payment instrument.

Clicking cancel should also kill the PH window and raise an abort event on the PH service worker.

I am a little behind on the current implementation, so apologies if this is already there, but keen to hear thoughts on this to address some of Mozillas security concerns.

--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/payment-handler/issues/307#issuecomment-410220470

Received on Friday, 3 August 2018 11:04:10 UTC