Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[PING] Only allow triggering authentication from a foreground tab #237

Closed
stephenmcgruer opened this issue Apr 6, 2023 · 4 comments · Fixed by #238
Closed

[PING] Only allow triggering authentication from a foreground tab #237

stephenmcgruer opened this issue Apr 6, 2023 · 4 comments · Fixed by #238
Labels
privacy-needs-resolution Issue the Privacy Group has raised and looks for a response on.

Comments

@stephenmcgruer
Copy link
Collaborator

During today's PING discussion and review of the changes to SPC, the PING raised a concern that removing the user activation requirement could lead to sites triggering SPC from a background tab. This could confuse users, especially as technically the spec doesn't require a tab-modal dialog (Chrome just implements SPC as a tab-modal UI, which I think any reasonable browser would, but it isn't enforced).

PING has asked that we add a normative step that SPC authentication should fail if the current tab is not foreground.

@stephenmcgruer
Copy link
Collaborator Author

I think this makes sense, a few thoughts:

  1. Is this already spec'd in Payment Request somewhere? I couldn't find it at a quick glance (just a check for an active document, which is not the same thing)
  2. This should probably be spec'd in Payment Request rather than here, I think. It seems applicable in general to Payment Request, and I think for Chrome we actually already check for not background tab and reject a Payment Request in that case.

@stephenmcgruer
Copy link
Collaborator Author

Jeffrey linked me to https://html.spec.whatwg.org/multipage/interaction.html#page-visibility as the concept we probably want to work from

@ianbjacobs
Copy link
Collaborator

The show() method [1] algorithm includes this:

If document is not [fully active](https://html.spec.whatwg.org/multipage/document-sequences.html#fully-active), then return [a promise rejected with](https://webidl.spec.whatwg.org/#a-promise-rejected-with) an "[AbortError](https://webidl.spec.whatwg.org/#aborterror)" [DOMException](https://webidl.spec.whatwg.org/#idl-DOMException).

It does not sound like that suffices (no mention of page-visibility).

[1] https://w3c.github.io/payment-request/#show-method

stephenmcgruer added a commit that referenced this issue Apr 13, 2023
During PING review of the pre-CR changes to SPC, the PING raised a concern that removing the user activation requirement (see #236) could lead to sites triggering SPC from a background tab. This PR adds logic to the steps to check if a payment can be made to disallow background tabs (and minimized-windows/etc).

It is likely that eventually we will want this specified in Payment Request instead, both because it will be clearer spec text (here we have to refer to a this that is actually from the Payment Request spec), and also because we (in Chrome) already do (afaik) reject Payment Requests from background tabs. (Which is allowable by abusing the Payment Request spec text that says a user agent may reject show() for any security reason).

Fixes #237

Co-authored-by: Jeffrey Yasskin <jyasskin@gmail.com>
@ianbjacobs
Copy link
Collaborator

@samuelweiler, we've updated the specification based on the PING review. If satisfied, please do the relevant label management. :) Thank you!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
privacy-needs-resolution Issue the Privacy Group has raised and looks for a response on.
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants