Re: [w3c/payment-handler] Security consideration: user consent before payment (#365) from ianbjacobs on 2020-04-16 (public-webpayments-specs@w3.org from April 2020)

From: ianbjacobs <notifications@github.com>
Date: Thu, 16 Apr 2020 14:04:44 -0700
To: w3c/payment-handler <payment-handler@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3c/payment-handler/pull/365/review/394997881@github.com>

@ianbjacobs commented on this pull request.

> @@ -2438,10 +2438,19 @@ <h2>
</h2>
<ul>
<li>One goal of this specification is to minimize the user
- interaction required to make a payment. At the same time, user agents
- must not permit combinations of configurations that would enable
- invoking Web sites to invoke payment request and receive payments
- silently.
+ interaction required to make a payment. However, we also want to
+ ensure that the user has an opportunity to consent to making a
+ payment. Because payment handlers are not required to open windows
+ for user interaction, user agents should take necessary steps to
+ provide for some form of user action before <a data-cite=
+ "payment-request#show-method">PaymentRequest.show()</a> resolves. For
+ example, a user agent might do nothing if a payment handler opens a
+ window and the user has an opportunity to confirm a transaction via a
+ button. But if the payment handler does not open a window, or opens a
+ window without an opportunity for user interaction, the browser might
+ prompt the user to confirm the payment handler's behavior before

HI @danyao,

The use cases you cited are very helpful.

If it is up to the payment handler to call PaymentRequestEvent.finalizeResponse(),
that seems to leave open the possibility that the payment handler could lie.

I was thinking more along these lines:

* In a payment handler window, the browser keeps track of all user interaction events, whether at the top level or in descendant iframes.
* If the number of user events logged before show() == 0 then prompt the user.

I am not a browser maker, so I don't know whether that makes sense.

Regarding the minimal UI use case, that seems like one where the browser could enforce the user interaction requirement itself rather than relying on the content-less PH to do so.

Ian

--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/payment-handler/pull/365#discussion_r409847274

Received on Thursday, 16 April 2020 21:04:57 UTC