Changes resulting from 28 February PING privacy review #843
Conversation
https://www.w3.org/2019/02/28-privacy-minutes Specifically: * Merged the "Security and Privacy" and "Privacy" considerations sections into a single "Security and Privacy Considerations" * Added a forward pointer from 3.5 to the canMakePayment() protections section (in security and privacy considerations). Removed the Note in the algorithm of 3.5, and merged it with the (rewritten) protections section. * Expanded the canMakePayment protections section based on PING conversation.
|
Combining the privacy and security considerations section and the privacy considerations section has one problem: the high-level category is listed as non-normative, but some of the subsections have normative requirements in them. I think you could fix that by removing the marking of the high-level section as informative, and then evaluating each subsection to see whether it's informative or normative. |
…rkup accordingly.
|
@npdoty, thanks for catching that. I have adopted your proposal. I do not believe I have changed what was already the case - a single normative section under Security and Privacy Considerations. |
|
Thanks for making a start on this! I’ll try to review it over the weekend. |
|
Thanks much for these @ianbjacobs.
Thanks much! |
|
HI @snyderp,
That was one of the suggestions from the call that made it into the pull request: to limit in the face of multiple calls with different parameters from the top-level browsing context. Are there concrete text suggestions you have for making that clearer?
We can continue to discuss them on this thread. I think if the implementers agree that a given mitigation should be standardized, then I expect we can add it. However, I would not expect that to happen in version 1.
I would not expect negotiation of which data is shared to be a version 1 feature of Payment Request API. That has not been part of the specification to date and I think we would need to have more discussion of real-world payment systems. Sam has opened a new issue where have started discussion: A related topic (outside of Payment Request API) involves device fingerprinting (through JavaScript and other mechanisms). Our ongoing discussions in the working group involve topics like how to manage user privacy preferences with demands for data from risk engines. Ian |
I see the "For example, a user agent may restrict the number of successful calls that can be made based on the top-level browsing context" text. I'm not sure I understand the "successful calls" text there. Whats an "unsuccessful" call? If "unsuccessful" means
Great! Where is the best place to stay up to date on these discussions? |
|
Hi @snyderp, I'll start by saying that this topic has been a challenging one for the Working Group, and new ideas are welcome. We are relying on implementaitons to help mitigate abuse while at the same time responding to merchant requirements to be able to decide what checkout experience they can provide that will afford the least friction. The particular text that you are referring to no longer exists in my pull request. However, it may be that you have the same question over the new text. I invite @marcoscaceres, @rsolomakhin, @danyao, and @aestes to weigh in on their implementation experience. There have been other ideas on this topic that have not gained traction for other reasons; see #777 for example. Regarding data gathering for risk analysis, that seems to lie partly within the scope of several W3C groups. The Web Payments WG has had some discussions with EMVCo about 3-D Secure, which gathers some data. We've also chatted with the Web Authentication Working Group about whether WebAuthn (e.g., attestations) might be helpful in reducing reliance on JavaScript. And FIDO and EMVCo are also discussing that topic. To help facilitate some of these conversations we have been discussing the creation of a W3C Interest Group on Web payment security. A draft charter was reviewed by the W3C Membership, EMVCo Board, and FIDO Board; we are currently addressing feedback. In short: I would like to make it easier to discover and participate in Web payment security topics. I hope this proposed IG can help fulfill that goal. |
index.html
Outdated
| <li>allowing the user to configure the user agent to turn off | ||
| <a>canMakePayment()</a>; | ||
| </li> | ||
| <li>informing the user when <a>canMakePayment()</a> is called; |
There was a problem hiding this comment.
This seem impractical. I'm against including this suggestion.
There was a problem hiding this comment.
after reading the privacy minutes, I actually think this is an OK idea and npdoty questions was good.
Pros:
- Website are likely to be calling this method more responsibly if there is a little UI indication to the users and only do so in the right page and time where users expect this to happen and checkout.
Cons:
- Some users might freak out if they see such a UI notification or indication. there has to be a lot of carefulness and UX research from implementers side how to present this.
Why does it seem impractical?
There was a problem hiding this comment.
I'm in favor of it too. Short of standardizing the mitigations (which would be better, but seems to be off the table), including the above seems like a second best option
index.html
Outdated
| </p> | ||
| <ul data-link-for="PaymentRequest"> | ||
| <li>allowing the user to configure the user agent to turn off | ||
| <a>canMakePayment()</a>; |
There was a problem hiding this comment.
| <a>canMakePayment()</a>; | |
| <a>canMakePayment()</a>. |
index.html
Outdated
| </li> | ||
| <li>informing the user when <a>canMakePayment()</a> is called; | ||
| </li> | ||
| <li>rate-limiting the frequency of calls to <a>canMakePayment()</a> |
There was a problem hiding this comment.
| <li>rate-limiting the frequency of calls to <a>canMakePayment()</a> | |
| <li>Rate-limiting the frequency of calls to <a>canMakePayment()</a> |
index.html
Outdated
| For rate-limiting the user agent might look at repeated calls from: | ||
| </p> | ||
| <ul> | ||
| <li>the same effective top-level domain plus one (eTLD+1); |
There was a problem hiding this comment.
| <li>the same effective top-level domain plus one (eTLD+1); | |
| <li>the same effective top-level domain plus one (eTLD+1). |
index.html
Outdated
| <ul> | ||
| <li>the same effective top-level domain plus one (eTLD+1); | ||
| </li> | ||
| <li>the top-level browsing context; |
There was a problem hiding this comment.
| <li>the top-level browsing context; | |
| <li>the top-level browsing context - or block access to the API entirely for origins know to be bad actors.</li> |
|
Thanks again for the reply. Sure enough, i was looking at the wrong text. Thanks for the clarification! One other item related to mitigations, and one more reason you may want to include mitigation standardization in v1 (even if it slows things down): how does the user agent signal to the website "I am interested in using the Payment API, but I don't want to allow the fingerprinting risk implied by canMakePayment."? Say the user agent is operating in this privacy-protecting state and takes some of the mitigation steps mentioned in the text, and turns Throwing I suggest adding an additional exception type, or return value to the |
The use case remains that "can make payment?" is intended to be used to present, for example, an Google Pay specific button directly in the web page. Asking the user is not practical, because the site is effectively "port scanning" what supported payment methods are. I think the only feasible solution here is for the user to have control over this (like Safari does). Basically, an opt-in this check:
|
|
This is how Safari works:
|
|
I dont we're disagreeing. The correct answer is definitely to prompt, and to effectively not allow anything like how But, whether or not |
heh, returns "maybe" :) But seriously, it's why in Firefox we always lie and just return true. |
|
@marcoscaceres that seems like a reasonable approach, but suggests it shouldn't be in the standard in the first place :) Brave will very likely do something similar. Is anyone familiar with what Safari is planning on doing for non-Apple pay methods? |
Currently, Safari's only supported payment method is Apple Pay. |
- Removed "alert the user" as an idea; deemed impractical
|
@snyderp wrote:
Rejecting |
Thanks! I should have asked differently though: Does anyone know who, other than Chrome, plans to implement the spec / |
|
@snyderp : Which part of the spec differs among the implementations? From https://w3c.github.io/payment-request/#canmakepayment-method :
Firefox has a built-in payment handler for "basic-card", so they will always return "true". @marcoscaceres, correct me if I'm wrong. So Firefox implementation seems to match to spec, right? |
|
Adding @romandev and @zouhir (and assuming @rsolomakhin and @danyao already watching). Ian |
|
@snyderp wrote:
I like this idea. Our current behavior in this case is to return "false" in |
|
@snyderp and @rsolomakhin, would you support creating a new issue on the topic of finer-grain error reporting when canMakePayment() returns "false"? Some observations (which I can carry over to a new issue as well).
Ian |
|
@ianbjacobs : A separate issue sounds good. Does this need to go into the spec or best practices for implementers? I understand the error codes go into spec. Not sure about error messages. Other scenarios that would benefit any payment handler or merchant:
|
@rsolomakhin I was basing what I said (that Firefox isn't implementing the spec as written) based on @marcoscaceres comment "But seriously, it's why in Firefox we always lie and just return true.". I take that to mean they don't follow the Brave will likely do the same (decision hasn't been 100% made yet) and return true no matter what, at least with "Shields Up". |
about what data is shared, but rephrased to sound less like it has to be real-time
Co-Authored-By: ianbjacobs <[email protected]>
Co-Authored-By: ianbjacobs <[email protected]>
(Marcos and Ian edited.) Co-Authored-By: ianbjacobs <[email protected]>
Co-Authored-By: ianbjacobs <[email protected]>
Co-Authored-By: ianbjacobs <[email protected]>
Co-Authored-By: ianbjacobs <[email protected]>
I should clarify something here. This option influences the return value of the canMakePaymentsWithActiveCard API in Apple Pay JS (and soon the hasEnrolledInstrument API in Payment Request). When that option is unchecked (or the window is in Private Browsing), canMakePaymentsWithActiveCard will behave as if canMakePayments were called instead, returning true whenever Apple Pay is supported even if there are no enrolled instruments. Neither this checkbox nor Private Browsing influence the result of canMakePayments in Apple Pay JS or canMakePayment in Payment Request. |
@rsolomakhin, @danyao, @marcoscaceres,
Based on discussion at the Privacy Interest Group call yesterday, I took an action to propose some changes; see the minutes for details:
https://www.w3.org/2019/02/28-privacy-minutes
Specifically:
Merged the "Privacy and Security Considerations" and "Privacy Considerations" sections into a single section ("Privacy and Security Considerations").
Added a forward pointer from 3.5 to the canMakePayment() protections section (in security and privacy considerations). Removed the Note that was in the middle of the algorithm of 3.5, and merged it with the (rewritten) canMakePayment protections section.
Expanded the canMakePayment protections section based on PING conversation.
The following tasks have been completed:
NOTE: I will also point PING at the edit.
Preview | Diff