-
-
-
-
If this’s relevant global object's associated Document's visibility state is not
-"visible"
, returnfalse
.Note: This prevents SPC from being triggered from a background tab, -minimized window, or other similar hidden situations.
-this is the
PaymentRequest
whoseshow()
method invoked these steps to check if a payment can be made. It -would be better to run this step directly fromshow()
. -
If data["
payeeOrigin
"] is present:-
@@ -1194,7 +1184,7 @@
show() promise with a +
Rejecting the
show()
promise with a "NotAllowedError
"DOMException
. -
@@ -1202,7 +1192,7 @@
4.1.9. Displaying a transaction confirmation UX
To avoid restricting User Agent implementation choice, this specification does -not require a User Agent to display a particular user interface when
@@ -1231,7 +1221,7 @@PaymentRequest.show()
is called and the Secure +not require a User Agent to display a particular user interface whenPaymentRequest.show()
is called and the Secure Payment Confirmation payment handler is selected. However, so that a Relying Party can trust the information included inCollectedClientPaymentData
, the User Agent MUST ensure that the following is communicated to the user and that the user’s consent is collected for the authentication:given relying party. If the user indicates that they wish to opt-out, then the user agent must reject -the
show()
promise with an +theshow()
promise with an "OptOutError
"DOMException
. See § 11.5 User opt out.Tests
@@ -1259,7 +1249,7 @@4.1.10. Steps to respond to a payment request
-The steps to respond to a payment request for this payment method, for a given
+PaymentRequest
request andSecurePaymentConfirmationRequest
data, are:The steps to respond to a payment request for this payment method, for a given
PaymentRequest
request andSecurePaymentConfirmationRequest
data, are:-
Let topOrigin be the top-level origin of the relevant settings object of request.
@@ -1352,7 +1342,7 @@Relying Party, and also adds transaction information to the signed cryptogram.
Notably, a website should not call
+directly; for authentication the extension can only be accessed vianavigator.credentials.get()
with this extension -directly; for authentication the extension can only be accessed viaPaymentRequest
with a "secure-payment-confirmation" payment method.PaymentRequest
with a "secure-payment-confirmation" payment method.Tests
This test does not directly correspond to a spec line, but instead @@ -1427,14 +1417,14 @@
relevant global object, as determined by the calling
create()
implementation, does not have transient activation: +If the relevant global object, as determined by the calling
create()
implementation, does not have transient activation:-
Return a
DOMException
whose name is "SecurityError
", and terminate this algorithm.
- -
Consume user activation of the relevant global object.
+Consume user activation of the relevant global object.
Tests
@@ -1880,8 +1870,9 @@§ 4.1.8 Steps to check if a payment can be made, where the document must be -visible in order to initiate Secure Payment Confirmation. +
Another relevant mitigation exists in
PaymentRequest.show()
: the Payment Request API +requires the document to be visible, and thus SPC cannot be triggered from a +background tab, minimized window, or other similar hidden situations.11. Privacy Considerations
As this specification builds on top of WebAuthn, the WebAuthn Privacy Considerations are applicable. The below subsections comprise the current Secure Payment @@ -2139,7 +2130,6 @@
[HTML] defines the following terms:
-
-
- associated document
- consume user activation
- current settings object
- in parallel
@@ -2149,7 +2139,6 @@
serialization of an origin
- top-level origin
- transient activation -
- visibility state
- [I18N-GLOSSARY] defines the following terms: @@ -2282,7 +2271,6 @@
a promise rejected with
- boolean
- sequence -
- this
- unsigned long @@ -2383,11 +2371,6 @@
I }; -
Issues Index
--this is the-PaymentRequest
whoseshow()
method invoked these steps to check if a payment can be made. It -would be better to run this step directly fromshow()
. ↵ -
-