LGTM3
On Wed, Jul 16, 2025 at 11:13 AM Vladimir Levin <vmp...@chromium.org> wrote: > Thanks Stephen, that makes sense. > > LGTM2 > > On Tuesday, July 15, 2025 at 3:20:00 PM UTC-4 Slobodan Pejic wrote: > >> Thanks Domenic, I have filed an issue to address this problem with the >> secure-payment-confirmation specification (#307 >> <https://github.com/w3c/secure-payment-confirmation/issues/307>). >> >> On Monday, July 14, 2025 at 10:09:19 PM UTC-4 Domenic Denicola wrote: >> >>> This generally looks good, but there's a bit of a hole in the spec which >>> makes it unclear whether CSP, etc. apply to these image fetches: see >>> https://github.com/w3c/image-resource/issues/48 . (The SPC spec calls >>> "Fetch an image resource" with no request supplied, but the Image Resource >>> spec is broken in that case.) >>> >>> On Tue, Jul 15, 2025 at 3:13 AM Alex Russell <slightly...@chromium.org> >>> wrote: >>> >>>> LGTM1; my view is that each browser team is managing risk about >>>> browser-presented UI and that nothing about this forces anyone to display >>>> anything. >>>> >>>> Best, >>>> >>>> Alex >>>> >>>> On Thursday, July 10, 2025 at 11:24:51 AM UTC-7 Nina Satragno wrote: >>>> >>>>> El mié, 9 jul 2025 a la(s) 12:11 p.m., Stephen Mcgruer ( >>>>> smcgr...@chromium.org) escribió: >>>>> >>>>>> > Hey, with regards to providing logos. My understanding is that this >>>>>> would be displayed in a trusted content. Is there some affordances to >>>>>> clearly indicate that these logos are provided by the merchants? I'm a >>>>>> little concerned for cases like displaying arbitrary content in trusted >>>>>> UI >>>>>> because of things like hate symbols, among other things. >>>>>> >>>>>> Hi Vlad; you're completely right to be concerned in this regard - it >>>>>> is a general concern with SPC. Whilst we do care about this issue, our >>>>>> counter-argument is that there is no incentive to display misleading or >>>>>> offensive logos using SPC. >>>>>> >>>>>> Firstly, if we examine the 'offensive' case - what is the value of >>>>>> SPC here for someone who wants to offend? If I'm the website, I can >>>>>> render >>>>>> offensive iconography in an HTML 'bottomsheet' UX, with a Chrome logo at >>>>>> the top of it, and write whatever I want. Users will generally not know >>>>>> the >>>>>> difference, and many will just attribute that to being from Chrome >>>>>> anyway. >>>>>> We're actually not looking to present SPC as being "from Chrome" - >>>>>> there's >>>>>> no logo, for example. We've historically discussed this with security, >>>>>> and >>>>>> we have offered to remove the 'line of death/full screen scrim' to >>>>>> further >>>>>> divorce SPC from being 'browser UX' - but so far they haven't asked us to >>>>>> do that. >>>>>> >>>>>> Secondly, if we examine the 'misleading' case, we cover that in the >>>>>> spec (here >>>>>> <https://w3c.github.io/secure-payment-confirmation/#sctn-security-payment-attack> >>>>>> and here >>>>>> <https://w3c.github.io/secure-payment-confirmation/#sctn-security-merchant-data>), >>>>>> but broadly the answer is that even if you trick the user into creating >>>>>> an >>>>>> SPC cryptogram, it has no value unless you are literally processing a >>>>>> transaction with the underlying payment providers (and they are able to >>>>>> examine the output signed cryptogram to know exactly what data you >>>>>> provided >>>>>> to the user). So as a misleading attacker, you at best end up with an SPC >>>>>> cryptogram with no use for it. >>>>>> >>>>>> On Wed, 9 Jul 2025 at 12:01, Stephen Mcgruer <smcgr...@chromium.org> >>>>>> wrote: >>>>>> >>>>>>> > Sorry, I didn't read the WPT PRs you linked. I see that the tests >>>>>>> already depend on test_driver.add_virtual_authenticator(). Is there >>>>>>> anything blocking testing here, or is it OK if shipping this is >>>>>>> conditional >>>>>>> on the tests being landed? >>>>>>> >>>>>>> The main issue is that WebAuthn virtual authenticators are not >>>>>>> supported on Chrome Android (as far as I know, cc @Nina Satragno >>>>>>> <nsatra...@google.com> ), whilst this feature is shipping first for >>>>>>> SPC in Chrome Android (with Desktop to follow in a few milestones). So >>>>>>> they're not going to pass when initially landed (and indeed will regress >>>>>>> SPC's wpt.fyi status in Chrome), *however* we discussed this >>>>>>> internally yesterday and decided its still better to have tests that >>>>>>> reflect the specification even if they now fail due to lack of test >>>>>>> support. So our plan is to land them in the coming days (once reviewed). >>>>>>> >>>>>> >>>>> This is correct, there's no virtual authenticator support for Android. >>>>> From a WPT perspective this also seems like a reasonable approach to me. >>>>> >>>>> >>>>>> >>>>>>> On Wed, 9 Jul 2025 at 11:21, Philip Jägenstedt <foo...@chromium.org> >>>>>>> wrote: >>>>>>> >>>>>>>> Sorry, I didn't read the WPT PRs you linked. I see that the tests >>>>>>>> already depend on test_driver.add_virtual_authenticator(). Is there >>>>>>>> anything blocking testing here, or is it OK if shipping this is >>>>>>>> conditional >>>>>>>> on the tests being landed? >>>>>>>> >>>>>>>> On Wed, Jul 9, 2025 at 5:17 PM Philip Jägenstedt < >>>>>>>> foo...@chromium.org> wrote: >>>>>>>> >>>>>>>>> Hey Stephen, >>>>>>>>> >>>>>>>>> Is WebAuthn virtual authenticators the DevTools feature mentioned >>>>>>>>> in https://developer.chrome.com/docs/devtools/webauthn? >>>>>>>>> >>>>>>>>> If you need powerful test automation for WebAuthn, have you had a >>>>>>>>> look at what's currently possible with WebDriver BiDi and >>>>>>>>> testdriver.js? >>>>>>>>> Recently >>>>>>>>> <https://github.com/web-platform-tests/wpt/commits/0fc79d8e619d1ab680b2688e8ec6b9dd51b19b26/resources/testdriver.js> >>>>>>>>> a >>>>>>>>> lot of previously "too hard" features have been added to >>>>>>>>> testdriver.js, and >>>>>>>>> there might be a pattern you can follow there. >>>>>>>>> >>>>>>>>> Best regards, >>>>>>>>> Philip >>>>>>>>> >>>>>>>>> On Thu, Jul 3, 2025 at 7:29 PM Stephen Mcgruer < >>>>>>>>> smcgr...@chromium.org> wrote: >>>>>>>>> >>>>>>>>>> (Also, -chrome-payments-eng@ as that is an internal group that >>>>>>>>>> will not accept email from @chromium.org or other external >>>>>>>>>> accounts :)) >>>>>>>>>> >>>>>>>>>> On Thu, 3 Jul 2025 at 13:26, Stephen Mcgruer < >>>>>>>>>> smcgr...@chromium.org> wrote: >>>>>>>>>> >>>>>>>>>>> Quick clarification here: >>>>>>>>>>> >>>>>>>>>>> > Is this feature fully tested by web-platform-tests? >>>>>>>>>>> > No >>>>>>>>>>> >>>>>>>>>>> We are working on adding tests, but since the SPC WPTs rely on >>>>>>>>>>> WebAuthn virtual authenticators, and those are not available on >>>>>>>>>>> Chrome >>>>>>>>>>> Android, we are having to test them manually as we develop. When >>>>>>>>>>> these >>>>>>>>>>> features are implemented for Desktop then things should start >>>>>>>>>>> working >>>>>>>>>>> better! >>>>>>>>>>> >>>>>>>>>>> - https://github.com/web-platform-tests/wpt/pull/53358 >>>>>>>>>>> (paymentEntityLogos) >>>>>>>>>>> - https://github.com/web-platform-tests/wpt/pull/53333 >>>>>>>>>>> (instrument.details) >>>>>>>>>>> - https://github.com/web-platform-tests/wpt/pull/53386 (new >>>>>>>>>>> output states) >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> On Thu, 3 Jul 2025 at 12:14, Chromestatus < >>>>>>>>>>> ad...@cr-status.appspotmail.com> wrote: >>>>>>>>>>> >>>>>>>>>>>> Contact emails darwiny...@chromium.org, slobo...@chromium.org, >>>>>>>>>>>> smcgr...@chromium.org >>>>>>>>>>>> >>>>>>>>>>>> Explainer >>>>>>>>>>>> https://github.com/w3c/secure-payment-confirmation/issues/197 >>>>>>>>>>>> https://github.com/w3c/secure-payment-confirmation/issues/275 >>>>>>>>>>>> >>>>>>>>>>>> Specification https://w3c.github.io/secure-payment-confirmation >>>>>>>>>>>> >>>>>>>>>>>> Design docs >>>>>>>>>>>> https://github.com/w3c/secure-payment-confirmation/issues/197 >>>>>>>>>>>> https://github.com/w3c/secure-payment-confirmation/issues/275 >>>>>>>>>>>> https://github.com/w3c/secure-payment-confirmation/pull/292 >>>>>>>>>>>> https://github.com/w3c/secure-payment-confirmation/pull/294 >>>>>>>>>>>> https://github.com/w3c/secure-payment-confirmation/pull/298 >>>>>>>>>>>> >>>>>>>>>>>> Summary >>>>>>>>>>>> >>>>>>>>>>>> Updates the UX elements for the SPC dialog on Android Chrome. >>>>>>>>>>>> Other than just UX presentation the following are being added: - >>>>>>>>>>>> Allowing >>>>>>>>>>>> merchants to provide an optional list of payment entity logos >>>>>>>>>>>> related to >>>>>>>>>>>> the payment that will be displayed in the UX ( >>>>>>>>>>>> https://github.com/w3c/secure-payment-confirmation/pull/294). >>>>>>>>>>>> - Returning different output states back to the merchant depending >>>>>>>>>>>> on >>>>>>>>>>>> whether the user wants to continue the transaction without SPC or >>>>>>>>>>>> to cancel >>>>>>>>>>>> the transaction ( >>>>>>>>>>>> https://github.com/w3c/secure-payment-confirmation/pull/292). >>>>>>>>>>>> Currently, we only send a single output state back for both cases. >>>>>>>>>>>> - A new >>>>>>>>>>>> payment detail label field will be added to the payment instrument >>>>>>>>>>>> so the >>>>>>>>>>>> text be presented across 2 lines in SPC ( >>>>>>>>>>>> https://github.com/w3c/secure-payment-confirmation/pull/298) >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> Blink component Blink>Payments >>>>>>>>>>>> <https://issues.chromium.org/issues?q=customfield1222907:%22Blink%3EPayments%22> >>>>>>>>>>>> >>>>>>>>>>>> TAG review N/A (minor additive features) >>>>>>>>>>>> >>>>>>>>>>>> TAG review status Not applicable >>>>>>>>>>>> >>>>>>>>>>>> Risks >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> Interoperability and Compatibility >>>>>>>>>>>> >>>>>>>>>>>> Low risk. The SPC UX Refresh changes are only purely additive >>>>>>>>>>>> API shapes that are all backwards compatible. The risk is that >>>>>>>>>>>> other >>>>>>>>>>>> browser do not implement it. >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> *Gecko*: No signal ( >>>>>>>>>>>> https://github.com/mozilla/standards-positions/issues/570) >>>>>>>>>>>> Firefox has never finalized their view on SPC, so we updated the >>>>>>>>>>>> original >>>>>>>>>>>> SPC issue with a note on this additional capability. >>>>>>>>>>>> >>>>>>>>>>>> *WebKit*: No signal ( >>>>>>>>>>>> https://github.com/WebKit/standards-positions/issues/30) >>>>>>>>>>>> Safari has never finalized their view on SPC, so we updated the >>>>>>>>>>>> original >>>>>>>>>>>> SPC issue with a note on this additional capability. >>>>>>>>>>>> >>>>>>>>>>>> *Web developers*: Positive Responding to requests/feedback >>>>>>>>>>>> from web developers in the WPWG. >>>>>>>>>>>> >>>>>>>>>>>> *Other signals*: >>>>>>>>>>>> >>>>>>>>>>>> WebView application risks >>>>>>>>>>>> >>>>>>>>>>>> Does this intent deprecate or change behavior of existing APIs, >>>>>>>>>>>> such that it has potentially high risk for Android WebView-based >>>>>>>>>>>> applications? >>>>>>>>>>>> >>>>>>>>>>>> None >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> Debuggability >>>>>>>>>>>> >>>>>>>>>>>> Web developers should be able to try the new SPC UX Refresh >>>>>>>>>>>> through a Chrome flag, thus no changes are needed in devtools. >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> Will this feature be supported on all six Blink platforms >>>>>>>>>>>> (Windows, Mac, Linux, ChromeOS, Android, and Android WebView)? >>>>>>>>>>>> No >>>>>>>>>>>> >>>>>>>>>>>> SPC UX Refresh is added to Secure Payment Confirmation which is >>>>>>>>>>>> supported only on Android, Windows, and Mac. >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> Is this feature fully tested by web-platform-tests >>>>>>>>>>>> <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md> >>>>>>>>>>>> ? No >>>>>>>>>>>> >>>>>>>>>>>> DevTrial instructions >>>>>>>>>>>> https://docs.google.com/document/d/1w3RfvmoQqCvJkio4rxl0QR4BL1AzgHdv9a0qJhfCzpg >>>>>>>>>>>> >>>>>>>>>>>> Flag name on about://flags >>>>>>>>>>>> enable-secure-payment-confirmation-ux-refresh >>>>>>>>>>>> >>>>>>>>>>>> Finch feature name SecurePaymentConfirmationUxRefresh >>>>>>>>>>>> >>>>>>>>>>>> Rollout plan Will ship enabled for all users >>>>>>>>>>>> >>>>>>>>>>>> Requires code in //chrome? False >>>>>>>>>>>> >>>>>>>>>>>> Tracking bug https://g-issues.chromium.org/issues/405173922 >>>>>>>>>>>> >>>>>>>>>>>> Launch bug https://launch.corp.google.com/launch/4397413 >>>>>>>>>>>> >>>>>>>>>>>> Measurement SPC UX Refresh is only additive to Secure Payment >>>>>>>>>>>> Confirmation: The Secure Payment Confirmation UseCounter will be >>>>>>>>>>>> used. >>>>>>>>>>>> >>>>>>>>>>>> Availability expectation Secure Payment Confirmation is only >>>>>>>>>>>> in Chromium browsers for the foreseeable future. >>>>>>>>>>>> >>>>>>>>>>>> Non-OSS dependencies >>>>>>>>>>>> >>>>>>>>>>>> Does the feature depend on any code or APIs outside the >>>>>>>>>>>> Chromium open source repository and its open-source dependencies to >>>>>>>>>>>> function? >>>>>>>>>>>> None >>>>>>>>>>>> >>>>>>>>>>>> Sample links >>>>>>>>>>>> https://rsolomakhin.github.io/pr/spc-payment-entities-logos >>>>>>>>>>>> https://rsolomakhin.github.io/pr/spc-opt-out >>>>>>>>>>>> >>>>>>>>>>>> Estimated milestones >>>>>>>>>>>> Shipping on Android 139 >>>>>>>>>>>> DevTrial on Android 139 >>>>>>>>>>>> >>>>>>>>>>>> Anticipated spec changes >>>>>>>>>>>> >>>>>>>>>>>> Open questions about a feature may be a source of future web >>>>>>>>>>>> compat or interop issues. Please list open issues (e.g. links to >>>>>>>>>>>> known >>>>>>>>>>>> github issues in the project for the feature specification) whose >>>>>>>>>>>> resolution may introduce web compat/interop risk (e.g., changing >>>>>>>>>>>> to naming >>>>>>>>>>>> or structure of the API in a non-backward-compatible way). >>>>>>>>>>>> None >>>>>>>>>>>> >>>>>>>>>>>> Link to entry on the Chrome Platform Status >>>>>>>>>>>> https://chromestatus.com/feature/5206050462236672?gate=5106969593249792 >>>>>>>>>>>> >>>>>>>>>>>> Links to previous Intent discussions Intent to Prototype: >>>>>>>>>>>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/683f5e54.170a0220.31427f.1558.GAE%40google.com >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> This intent message was generated by Chrome Platform Status >>>>>>>>>>>> <https://chromestatus.com>. >>>>>>>>>>>> >>>>>>>>>>> -- >>>>>>>>>> You received this message because you are subscribed to the >>>>>>>>>> Google Groups "blink-dev" group. >>>>>>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>>>>>> send an email to blink-dev+unsubscr...@chromium.org. >>>>>>>>>> To view this discussion visit >>>>>>>>>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CADY3MafTfsu-e69p_8ixAyLvfj0VnVuxs%3DT95w55UbeDSKKr5g%40mail.gmail.com >>>>>>>>>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CADY3MafTfsu-e69p_8ixAyLvfj0VnVuxs%3DT95w55UbeDSKKr5g%40mail.gmail.com?utm_medium=email&utm_source=footer> >>>>>>>>>> . >>>>>>>>>> >>>>>>>>> >>>>> >>>>> -- >>>>> Nina Satragno >>>>> >>>> -- >>>> You received this message because you are subscribed to the Google >>>> Groups "blink-dev" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to blink-dev+unsubscr...@chromium.org. >>>> >>> To view this discussion visit >>>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/bbcefa96-47c5-4ad2-8f38-d735fd94e63an%40chromium.org >>>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/bbcefa96-47c5-4ad2-8f38-d735fd94e63an%40chromium.org?utm_medium=email&utm_source=footer> >>>> . >>>> >>> -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAFUtAY_3eLs7ju0bZAsFAMTDh1yOMBLk10kX%2BmFhUoLbmGDQEw%40mail.gmail.com.
