Re: [w3c/payment-request] User activation et webauthn (Issue #1002) from Stephen McGruer on 2023-04-05 (public-webpayments-specs@w3.org from April 2023)

From: Stephen McGruer <notifications@github.com>
Date: Wed, 05 Apr 2023 13:19:52 -0700
To: w3c/payment-request <payment-request@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3c/payment-request/issues/1002/1498079159@github.com>

Thanks for the details @asma1402 .

> create something like SPC for browsers that do not support it, but support Payment Request API [for our payment method]

Which browsers are you thinking of? To my knowledge:

1. Chromium-based browsers support SPC, and support Payment Request with custom payment methods (via Payment Handler)
2. Gecko-based browsers do not support SPC or Payment Request
3. Safari does not support SPC, and support Payment Request **only** for the Apple Pay payment method
4. Other WebKit-based browsers do not support SPC, and (I think) do not support Payment Request.

-------

Returning to your problem:

You are indeed correct that the problem is that if too much time passes between the user click event, and the call to `show()`, the user activation will time out. And in your case, because you are trying to do a `navigator.credentials.create` between these two it is quite likely to reach that time out.

There is unfortunately no current fix for what you are trying to do, because user activation cannot stay activated indefinitely as it would otherwise be no protection at all.

**However**, we (Chrome) are currently considering relaxing the user activation requirement for Payment Request, such that a page might get one 'free' call (without user activation) to `show()` per page-load. This is still in early stages of consideration, so no promises at all!

In the meantime, I can see two workarounds to your situation:

1. Could the Payment Handler itself call `navigator.credentials.create()`? That is, trigger `show()` first, and then from within the Payment Handler do the credential creation. (Might not be a fix, if your payment method is not the same domain as you are trying to create a credential for).
2. Have a second 'continue' button after the credential.create() call, and use that click event on that 'continue' to trigger the show() call.

--
Reply to this email directly or view it on GitHub:
https://github.com/w3c/payment-request/issues/1002#issuecomment-1498079159
You are receiving this because you are subscribed to this thread.

Message ID: <w3c/payment-request/issues/1002/1498079159@github.com>

Received on Wednesday, 5 April 2023 20:19:57 UTC