[w3c/payment-handler] Reduce risk of tracking related to payment handlers without UI (Issue #416) from ianbjacobs on 2023-04-26 (public-webpayments-specs@w3.org from April 2023)

From: ianbjacobs <notifications@github.com>
Date: Wed, 26 Apr 2023 09:18:15 -0700
To: w3c/payment-handler <payment-handler@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3c/payment-handler/issues/416@github.com>

(Below I quote previous text from the Chrome team, moving it from this pull request [1] to an issue)
[1] https://github.com/w3c/webpayments/pull/261

The Payment Handler specification currently [does not require](https://w3c.github.io/payment-handler/#windows) the Payment
Handler to show any visible UI to the user. Since the Payment Handler service worker runs in a 1p context, this allows for invisible tracking of the user:

1. A colluding website (https://site.example) gets a user click (e.g., on a next button on the website UX).
1. It constructs a Payment Request for the tracker (https://tracker.example) and calls `show()`.
1. The tracker 'payment app' is JIT-installed (or was installed earlier via`PaymentInstrument.set()`), and receives a
   [PaymentRequestEvent](https://w3c.github.io/payment-handler/#the-paymentrequestevent).
    - This event can contain arbitrary information from the colluding website, and the app is running in a 1p context.
1. The tracker 'payment app' **does not** call `openWindow()`. Instead, it reads its 1p state and sends the user information to its server (possibly along with shared information from the colluding website) and calls `respondWith()` to **silently** finish the Payment Request.

This attack is similar to opening and closing a pop-up window (or doing a bounce redirect).

#### Potential Mitigation

Mitigating this attack is likely to be up to the user agent. We intend to force UI to be shown when `show()` is called. That makes sure that the user is aware of what is happening, even if the app does not call `openWindow()`. Other potential mitigations here might be to delay allowing `respondWith(`) to be called immediately or to require a user interaction with the payment app before allowing it to close (to avoid a 'flash of content' attack).

-- 
Reply to this email directly or view it on GitHub:
https://github.com/w3c/payment-handler/issues/416
You are receiving this because you are subscribed to this thread.

Message ID: <w3c/payment-handler/issues/416@github.com>

Received on Wednesday, 26 April 2023 16:18:21 UTC