- From: Marcos Cáceres <notifications@github.com>
- Date: Fri, 27 Mar 2026 00:59:27 -0700
- To: w3c/payment-request <payment-request@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <w3c/payment-request/pull/1066@github.com>
Reverts the relaxation introduced in #1009 and removes the non-normative "User activation requirement" section.
## What changed
- Restores `[=transient activation=]` as a hard requirement in `show()` (removes the MAY)
- Removes the "User activation requirement" security considerations section
- Replaces both with a note acknowledging the redirect flow problem and pointing to the general solution being tracked in #1064
## Why
The MAY introduced in #1009 means a conformant browser can skip the activation check entirely with no normative constraints. The security mitigations in the removed section were all non-normative suggestions. That is not a spec constraint.
This is also part of a pattern: Digital Credentials and WebAuthn have the same problem and are reaching for the same local workarounds. The right fix is a sanctioned-continuation primitive at the HTML level (see [WICG Capability Delegation](https://wicg.github.io/capability-delegation/spec.html)), tracked in #1064.
Keeping the activation requirement strict here maintains pressure to find the general solution rather than normalizing per-spec workarounds.
<!--
This comment and the below content is programmatically generated.
You may add a comma-separated list of anchors you'd like a
direct link to below (e.g. #idl-serializers, #idl-sequence):
Don't remove this comment or modify anything below this line.
If you don't want a preview generated for this pull request,
just replace the whole of this comment's content by "no preview"
and remove what's below.
-->
***
<a href="https://pr-preview.s3.amazonaws.com/w3c/payment-request/pull/1066.html" title="Last updated on Mar 27, 2026, 7:59 AM UTC (c0052f3)">Preview</a> | <a href="https://pr-preview.s3.amazonaws.com/w3c/payment-request/1066/0e99859...c0052f3.html" title="Last updated on Mar 27, 2026, 7:59 AM UTC (c0052f3)">Diff</a>
You can view, comment on, or merge this pull request online at:
https://github.com/w3c/payment-request/pull/1066?email_source=notifications&email_token=AEHSJBSMJF6ZYJPDG7BTNWL4SYYF7A5CNFSNUABEM5UWIORPF5TWS5BNNB2WEL2QOVWGYUTFOF2WK43UF4ZTINJVGY2DQOJYHGTHEZLBONXW5KTTOVRHGY3SNFRGKZFFMV3GK3TUVVYHEX3POBSW4X3DNRUWG2Y
-- Commit Summary --
* fix: restore transient activation requirement in show()
-- File Changes --
M index.html (53)
-- Patch Links --
https://github.com/w3c/payment-request/pull/1066.patch?email_source=notifications&email_token=AEHSJBSTJZ7SY7NEY4QWX7T4SYYF7A5CNFSNUABEM5UWIORPF5TWS5BNNB2WEL2QOVWGYUTFOF2WK43UF4ZTINJVGY2DQOJYHGTHEZLBONXW5KTTOVRHGY3SNFRGKZFFMV3GK3TUVZYHEX3QMF2GG2C7MNWGSY3Lhttps://github.com/w3c/payment-request/pull/1066.diff?email_source=notifications&email_token=AEHSJBXX6KJKA73GI64AFLT4SYYF7A5CNFSNUABEM5UWIORPF5TWS5BNNB2WEL2QOVWGYUTFOF2WK43UF4ZTINJVGY2DQOJYHGTHEZLBONXW5KTTOVRHGY3SNFRGKZFFMV3GK3TUVVYHEX3ENFTGMX3DNRUWG2Y
--
Reply to this email directly or view it on GitHub:
https://github.com/w3c/payment-request/pull/1066
You are receiving this because you are subscribed to this thread.
Message ID: <w3c/payment-request/pull/1066@github.com>
Received on Friday, 27 March 2026 07:59:31 UTC