Responses to the Self-Review Questionnaire: Security and Privacy for the Digital Goods API
2.1 What information might this feature expose to Web sites or other parties, and for what purposes is that exposure necessary?
The API allows an origin to query the details of digital goods available from a store backend, for that origin and user. It exposes the user's chosen currency (as part of the price details) and which items have been purchased. This information is needed for the origin to display purchases to the user and give the user access to features/purchases based on purchases made.
The API also allows an origin to know that a purchase has been acknowledged, which is necessary to confirm that a transaction has completed.
2.2 Is this specification exposing the minimum amount of information necessary to power the feature?
Yes.
2.3 How does this specification deal with personal information or personally-identifiable information or information derived thereof?
The API involves a user that is already-authenticated with the user agent, and their purchases from a specific origin, but doesn't expose any new information about the user. If the user makes a purchase from an origin, the information about that purchase may be queryable later by the origin.
However, if the user makes a purchase and later signs out of (or clears data for) the origin while remaining authenticated with the user agent, that purchase information may still be retrievable, making the user identifiable. Implementors should carefully consider what information is exposed.
No special treatment.
2.5 Does this specification introduce new state for an origin that persists across browsing sessions?
Yes, but this state cannot be created directly - the user has to buy something through a separate API for state to show in this API.
2.6 What information from the underlying platform, e.g. configuration data, is exposed by this specification to an origin?
The origin will be able to make deductions from the presence or absence of the API. For example, a store backend may be available in certain contexts only, or a user agent may support the API on specific platforms only.
No.
2.8 What data does this specification expose to an origin? Please also document what data is identical to data exposed by other features, in the same or different contexts.
Data about the user's digital goods purchases. If those purchases were made through the PaymentRequest API on the origin then it would have access to that information already.
No.
No.
No.
None.
2.13 How does this specification distinguish between behavior in first-party and third-party contexts?
The API should require the "payment" permission policy, as defined in the Payment Request API - if disabled, the user agent should act as if there are no available payment methods. For this permission policy to be enabled in third-party contexts, the top-level context must explicitly enable it on the sub-frame. This would let top-level code delegate payment handling to some third-party if desired.
2.14 How does this specification work in the context of a user agent’s Private Browsing or "incognito" mode?
The specification assumes an authenticated user, which is not usually the case in incognito mode. The user agent should act as if there are no available payment methods in incognito mode.
Yes. https://github.com/WICG/digital-goods/blob/master/explainer.md#security-and-privacy-considerations
No.
No more questions.