00:49:15 benoit has joined #wpwg 03:56:26 Hemnath has joined #wpwg 05:03:35 pea13 has joined #wpwg 05:03:36 canton_ has joined #wpwg 08:29:31 npd has joined #wpwg 08:35:58 TimCappalli has joined #wpwg 13:39:41 rrsagent, bye 13:39:41 I see 4 open action items saved in https://www.w3.org/2022/09/12-wpwg-actions.rdf : 13:39:41 ACTION: smcgruer_[EST] to check whether the attestation is available during SPC flow [1] 13:39:41 recorded in https://www.w3.org/2022/09/12-wpwg-irc#T16-59-58 13:39:41 ACTION: Sameer to see about enhancing 3DS flow to include attestation if available in SPC context. [2] 13:39:41 recorded in https://www.w3.org/2022/09/12-wpwg-irc#T17-03-48 13:39:41 ACTION: smcgruer_[EST] to get info on priority of more icons in transaction dialog from design team [3] 13:39:41 recorded in https://www.w3.org/2022/09/12-wpwg-irc#T22-52-06 13:39:41 ACTION: Sameer to work with the 3DS WG to write down in more detail the "non-payment transaction" use case. [4] 13:39:41 recorded in https://www.w3.org/2022/09/12-wpwg-irc#T23-03-37 13:39:42 zakim, bye 13:39:42 leaving. As of this point the attendees have been NickTR, Rose_Robertson, Ian_Jacobs, Sameer_Tare, Javad_Chamanara, Bastien_Latge, Magda_Sypulla, Magda_Sypula, Nako_Siskov, 13:39:42 Zakim has left #wpwg 15:56:10 RRSAgent has joined #wpwg 15:56:10 logging to https://www.w3.org/2022/09/13-wpwg-irc 15:56:12 Meeting: Web Payments WG 15:56:16 Chair: Nick 15:56:18 Scribe: Ian 15:56:29 Agenda: https://github.com/w3c/webpayments/wiki/Agenda-TPAC2022 15:59:26 present+ Ian 15:59:29 present+ Bastien_Latge 15:59:36 present+ Carey_Ferro 15:59:39 present+ Sameer_Tare 15:59:47 present+ Sue_Koomen 16:00:28 present+ Nick_Telford-Reed 16:01:55 motokim has joined #wpwg 16:03:59 benoit has joined #wpwg 16:04:08 scribenick: ian 16:04:44 magda_sypula has joined #wpwg 16:07:12 Fahad has joined #wpwg 16:08:08 SameerT has joined #wpwg 16:08:09 praveena has joined #wpwg 16:08:12 erhardbrand has joined #wpwg 16:08:13 Hemnath has joined #wpwg 16:08:14 wanderview has joined #wpwg 16:08:18 mikehorne has joined #wpwg 16:08:19 careyf has joined #wpwg 16:08:22 Sue has joined #wpwg 16:08:33 NakjoShishkov has joined #wpwg 16:08:33 adam_kelly has joined #wpwg 16:08:38 Uchi has joined #wpwg 16:08:39 zakim, who's here? 16:08:39 Present: Ian, Bastien_Latge, Carey_Ferro, Sameer_Tare, Sue_Koomen, Nick_Telford-Reed 16:08:41 On IRC I see Uchi, adam_kelly, NakjoShishkov, Sue, careyf, mikehorne, wanderview, Hemnath, erhardbrand, praveena, SameerT, Fahad, magda_sypula, benoit, motokim, RRSAgent, Zakim, 16:08:41 ... Rose, bkardell_, TimCappalli, npd, canton_, pea13, rbyers, benoit_, dlehn1, Dongwoo, hober, jeffh, smcgruer_[EST], tobie, slightlyoff, ljharb, nicktr, rowan_m, hadleybeeman, 16:08:41 ... Travis, weiler, Ian, wseltzer 16:08:46 Dfisher_ has joined #wpwg 16:08:55 Sami has joined #Wpwg 16:09:01 present+ Ben Kelly 16:09:07 present+ David_Benoit 16:09:09 present+ Rose_Robertson 16:09:09 present+ Dongwoo_Im 16:09:11 present+ Erhard_Brand 16:09:12 present+ Ben_Kelly 16:09:14 Soumya has joined #wpwg 16:09:16 present+ Michael_Horne 16:09:16 present+ Uchi_Uchibeke 16:09:16 Present+ Rick_Byers 16:09:18 present + Nakjo_Shishkov 16:09:20 Present+ Sami 16:09:20 present+ Stephen_McGruer 16:09:23 present+ Adam_Kelly 16:09:26 Present doug_fisher 16:09:29 present+ Nakjo_Shishkov 16:09:30 surata_ has joined #wpwg 16:09:31 present+ fahad_saleem 16:09:35 present+ praveena_subrahmanyam 16:09:37 clinton has joined #wpwg 16:09:59 jon_ has joined #wpwg 16:10:06 present+ Hemnath_Dhananjayan 16:10:07 present+ clinton_allen 16:10:27 Vanitha has joined #wpwg 16:10:35 present+ Benjamin_Kelly 16:11:08 takashi has joined #wpwg 16:11:10 present+ Jonathan_Njeunje 16:12:10 Solai has joined #wpwg 16:13:11 present+ Doug_Fisher 16:13:13 Topic: PR API 1.0 update 16:13:23 scribe+ 16:13:56 scribenick: nicktr 16:13:59 present+ Devin_Rousso 16:14:15 ian: we're going to talk about payment request and handler today 16:15:01 ian: we published Payment Request v1.0 and Payment Method Identifiers v1.0 last week 16:15:02 dcrousso has joined #wpwg 16:15:29 ...organisational changes (TBL moving away) caused some delay to handling the formal objections 16:16:11 ...TBL has delegated to Ralph Zwick, who reviewed the report that examined the formal objections 16:16:20 ...and overruled the those objections 16:16:22 q? 16:16:26 present+ Jorge_Vargas 16:17:05 ian: the second thing that happened was that we published FPWD of V1.1 of Payment Request 16:17:27 ...this was driven by feedback from browser vendors 16:17:53 ...the changes were principally low level javascript issues 16:18:07 ChristianA_ has joined #wpwg 16:18:29 ...but it was a strong signal that the browser vendors are actively maintaining the standard 16:18:44 ...so today we're going to talk about what's next for payment request 16:19:15 ...including privacy changes, usage, new features 16:19:37 smcgruer_[EST]: we have a list which includes handlers, addresses... 16:19:41 scribenick: Ian 16:20:24 smcgruer_[EST]: PR API used to have support for collecting addresses. The WG removed the feature based on privacy review. 16:20:25 https://github.com/w3c/payment-request/issues/842 16:21:01 smcgruer_[EST]: But the feature shipped in both Safari and Chrome. Browser vendors don't like when a web feature that is interoperable and shipping is not part of a Web standard. 16:21:20 ...so we want to discuss how to handle this. 16:21:27 ...should we fix shipping addresses? 16:21:29 q+ to ask implications of non-specced features 16:21:34 ack nicktr 16:21:34 nicktr, you wanted to ask implications of non-specced features 16:21:39 present+ John_Bradley 16:21:55 NickTR: I hear and understand that it's not good to have a feature live on the web without a spec. 16:21:59 ...what are the practical implications of that. 16:22:30 Devin: Within Apple, people who are writing documentation about how to use the web, don't have anything to refer to. 16:22:38 ...there is no source of truth. 16:23:07 NickTR: So documentation that devs use is based on specs not source code. 16:23:13 Devin: Correct. Developers care about the API surface. 16:23:47 q+ 16:24:03 smcgruer_[EST]: It is also important that APIs be documented so that other browsers (existing or new) can implement the API (and not have to look at two source code repos) 16:24:31 smcgruer_[EST]: One option is to bring it back as its own spec that says "this is deprecated" 16:24:36 ack rbyers 16:24:39 ack rbyers 16:24:43 rbyers: There is precedent for this (e.g., touch events) 16:25:11 q+ 16:25:11 ...what you want to document is what developers need to know to implement the API 16:25:25 rbyers: I think for touch events it was an Appendix to the full spec. 16:25:43 rose: Does "deprecated" means it won't be implemented on the web in the future? 16:25:47 Devin: No, not in practice. 16:26:11 q+ to express heeby-jeebies about SPC... 16:26:15 ack Rose 16:27:43 q? 16:27:49 ack nicktr 16:27:49 nicktr, you wanted to express heeby-jeebies about SPC... 16:28:20 nicktr: Are there lessons here for SPC? 16:28:43 ...regarding SPC dependency on PR API? 16:28:52 q+ to respond 16:29:33 smcgruer_[EST]: It's a fair concern. In a perfect world, this would likely happen after we would make a decision about the dependency on PR API 16:29:36 j_pascoe has joined #wpwg 16:29:46 ...we at Chrome commit to owning the deprecation in case we redesign the API 16:30:01 ack smcgruer_[EST] 16:30:01 smcgruer_[EST], you wanted to respond 16:30:20 Devin: It's impossible to future proof specs; don't be dissuaded 16:31:01 present+ David_Turner 16:31:17 q? 16:31:57 1) Publish a spec for addresses and their semantics in PR PI that calls them deprecated 16:32:07 s/PR PI/PR API/ 16:32:11 2) Develop PR API to satisfy the privacy consideration (incremental address info collection) 16:33:30 Which do you prefer? 16:33:59 Devin: For idea #2, our goal is to have "what we had before written somewhere". We need the old thing documented in any case. 16:34:20 I am hearing 1) then 2) from Devin 16:34:23 Ian: Are you interested in enhancing the API? 16:34:46 Devin: We might be interested. 16:35:07 Ian: 2 16:35:15 do 1, then 2 16:35:19 s/Ian: 2/Ian: 1/ 16:35:26 NickTR: I am hearing 1 then 2 in any case 16:35:37 3) Both in that order 16:35:48 I like 3) 16:35:52 3 16:36:10 ACTION: Ian to work with editors to draft a deprecated feature description. 16:36:31 I have made the request to generate https://www.w3.org/2022/09/13-wpwg-minutes.html Ian 16:36:49 FYI, some history on the TouchEvents precedent. We eventually were able to remove the API (document.createTouch) so it's now gone from any spec. https://github.com/w3c/touch-events/issues/80 16:36:50 Ian: Any things about PR API from Apple perspective? 16:37:02 Devin: We've added about 6 or 7 features in past couple of years: 16:37:07 (to ApplePay.js) 16:37:11 1) Recurring payments 16:37:18 2) Deferred payments 16:37:27 3) Automatic reload payments (for transport cards, for example) 16:37:35 q+ to note this sounds a lot like the list of 'types' of payments for SPC ;) 16:38:02 4) Order details (when an order is finished, the web site can provide the details of the order, which links to an "order bundle object" that contains information about the order, which is surfaced in the wallet app 16:38:13 5) Marketplaces / multiple-merchant experiences 16:38:42 6) Coupon codes. 16:38:54 ...you will get events when user changes coupon codes. 16:39:04 ...when the coupon code changes, the payment method changes. 16:39:23 ...rather an event indicating some data changed 16:39:32 7) Shipping address variants (like pickup location) 16:39:49 8) Support for ApplePay in 3p webviews on iOS 16:40:32 ...so ApplePay works in other browsers (using web views) on iOS. 16:40:44 dezell has joined #wpwg 16:40:57 present+ David_Ezell 16:41:13 Devin: We would like to see PR API take on these features. 16:41:36 q- 16:41:47 q+ to ask about the PR API shape 16:42:05 [Nick provides a bit of history on PR API] 16:42:23 I have made the request to generate https://www.w3.org/2022/09/13-wpwg-minutes.html Ian 16:42:43 zakim, who's here? 16:42:43 Present: Ian, Bastien_Latge, Carey_Ferro, Sameer_Tare, Sue_Koomen, Nick_Telford-Reed, First_Last, Ben, Kelly, David_Benoit, Rose_Robertson, Dongwoo_Im, Erhard_Brand, Ben_Kelly, 16:42:46 ... Michael_Horne, Uchi_Uchibeke, Rick_Byers, Sami, Stephen_McGruer, Adam_Kelly, Nakjo_Shishkov, fahad_saleem, praveena_subrahmanyam, Hemnath_Dhananjayan, clinton_allen, 16:42:46 ... Benjamin_Kelly, Jonathan_Njeunje, Doug_Fisher, Devin_Rousso, Jorge_Vargas, John_Bradley, David_Turner, David_Ezell 16:42:46 On IRC I see dezell, j_pascoe, ChristianA_, Solai, takashi, Vanitha, jon_, surata_, Soumya, Uchi, adam_kelly, NakjoShishkov, Sue, careyf, wanderview, Hemnath, praveena, SameerT, 16:42:50 ... Fahad, benoit, motokim, RRSAgent, Zakim, Rose, bkardell_, TimCappalli, npd, canton_, pea13, rbyers, benoit_, dlehn1, Dongwoo, hober, jeffh, smcgruer_[EST], tobie, slightlyoff, 16:42:50 ... ljharb, nicktr, rowan_m, hadleybeeman, Travis, weiler, Ian, wseltzer 16:42:57 present+ Christian_Aabye 16:43:13 smcgruer_[EST]: What changes to the shape of the API would you like to see? 16:43:30 Devin: I think modifiers as specified are not helpful for some of these new features 16:44:06 ...for example, it would be great to be able to add (extra) line items for a given payment method 16:45:08 smcgruer_[EST]: Lots today goes in the data object (to allow for innovation). But it would be interesting to have some additional structure. What is the incentive for a payment app to use API surface if it's easier to stick in a JSON blob? 16:46:09 https://w3c.github.io/payment-request/#paymentmethoddata-dictionary is what smcgruer_[EST] is talking about 16:46:16 'object data;' 16:46:25 dcrousso has joined #wpwg 16:47:42 clinton has joined #wpwg 16:47:48 Ian: What's the user benefit for these features? 16:48:26 ...e.g., coupon codes benefit UX 16:48:36 alakatos has joined #wpwg 16:48:38 laka has joined #wpwg 16:49:00 Devin: I forgot one - shipping type ranges 16:49:14 Devin: Most of these changes have to do with clearer presentation in the UX. 16:49:46 Ian: Any thoughts from Google and Samsung on these features? 16:49:55 smcgruer_[EST]: We'd like to make this work for any payment app. 16:50:43 rbyers: The main value of structured data is to enable the browser to do something with it. 16:52:13 smcgruer_[EST]: Nobody uses the built-in browser sheet, so the coupon code can already be used in data object. 16:53:05 NickTR: We don't want to constrain the broader shopping experience; we want commonality around authentication. 16:54:14 q? 16:54:14 present+ Brant_Peterson 16:54:18 q- 16:55:51 magda_sypula has joined #wpwg 16:55:57 q+ 16:56:07 ack magda_sypula 16:56:22 magda_sypula: There had been conversation about creating a merchant cg. 16:57:24 jeanluc has joined #WPWG 16:57:27 takashi__ has joined #wpwg 16:57:39 Ian: We created a merchant cg but it did not gain traction 16:57:58 magda_sypula: Are people in the room interested in an IG or CG on shopping experience? 16:58:07 clinton: What's the goal? 16:58:14 magda_sypula: Shopping consistency across the web. 16:58:26 [Not much interest expressed in the room] 16:58:47 NickTR: The retail experience is a point of competition. 16:59:18 q+ 16:59:23 q+ 16:59:33 smcgruer_[EST]: We'd love a cg to hear from merchants 16:59:45 nickTR: Merchants are busy running their businesses. 16:59:51 ack sm 17:00:00 ack Ian 17:00:29 laka has joined #wpwg 17:01:53 topic: Navigation tracking 17:02:00 I have made the request to generate https://www.w3.org/2022/09/13-wpwg-minutes.html Ian 17:02:18 present+ Emil_Lundberg 17:02:53 Ben Kelly: I'm working at Google on "Bounce Track Mitigations" 17:03:07 ...we want to increase privacy while not breaking things like payments. 17:03:08 q+ 17:03:21 ack nicktr 17:04:30 q+ 17:04:40 [Ben explains navigation tracking as a work-around to storing cookies] 17:04:56 Ben: Navigation tracking can happen programmatically (does not require a user activation) 17:05:00 ack clinton 17:05:36 clinton: Are those separate domains on diagram on the screen? 17:05:38 Ben: yes 17:05:47 [What browsers are doing today] 17:06:15 q+ to ask about a historical lens 17:07:29 Ben: Browsers are taking steps like deleting cookies set during detected bounce tracking or otherwise using ephemeral storage. 17:07:52 ...Chrome team has published an explainer on what they'd like to do 17:08:03 https://github.com/wanderview/bounce-tracking-mitigations/blob/main/explainer.md Bounce Tracking explainer 17:08:38 Ben: We'd like some convergence among browsers on how things work. Our initial proposal largely aligns with the Firefox solution. 17:09:15 ...we are trying to detect "stateful bounces", then after some time delete storage for site that was bounced through, unless we can determine that the user has purposely chosen to use that site. 17:09:43 ...e.g., previous interaction has taken place, or post-visit interaction before deletion time-out, or perhaps foreground view-time or other signals 17:09:59 q+ 17:10:23 [Slide on how this approach protects use cases we want] 17:10:48 Ben: Regarding payments, there are a large variety of flows. My understanding is that flows frequently use link decoration and server-side state management. 17:11:27 Ben: There are a few other use cases we are interested in (e.g., link shorteners) 17:11:48 Ian: Where are conversations happening on this topic? 17:11:57 Ben: Not yet sure where yet, but likely privacy CG 17:12:19 ack clin 17:13:02 clinton: For these types of changes, many of these topics come back to third-party cookie access. Why is there no consumer choice for this type of behavior? E.g., a consumer chooses to allow a 3p cookie. 17:13:12 q? 17:13:20 Ben: Storage Access API gives a site a way to prompt the user to consent to cookies. 17:13:26 q++ 17:13:29 q-+ 17:13:36 q+ 17:13:54 Ben: There's a tension between lots of prompts (which people start to ignore when there are too many) and simply doing things on behalf of the user. 17:14:02 ...how many users understand 3p cookies and bounce tracking? 17:14:27 ...we are reluctant to show prompts that could scare user or that might be so insipid as to not communicate clearly what's happening. 17:14:32 ...there are real UX challenges here. 17:14:53 ...but perhaps there's a mode where the user can say "I don't mind being tracked." But we want the web to be safe by default. 17:15:45 clinton: If you have a payment methodology that works on every site and uses a cookie to recognize the user (in a 3p context). In the checkout flow, the user can say "Do you want to be remembered on this device?" Then they are not remembered, which is confusing. 17:16:15 smcgruer_[EST]: There is no concept of "payment flow" on the web. 17:16:25 ...we've been trying to solve the classification problem 17:16:48 notes that there *was* no concept of payment flow on the web until V1.0 Payment Request! 17:16:50 ...e.g., federated identity work allows the browser to protect the user and know what the user has consented to 17:16:51 q+ 17:17:15 q+ to respond 17:17:17 q- 17:17:20 clinton: The bounce tracking change will impact payments (as does getting rid of 3p cookies) 17:17:30 q+ to ask how much of the concern here with bounce tracking is from WRITING storage in a bounce 17:17:41 q+ 17:17:49 q+ 17:18:24 Ben: To clarify, if the user interacts with the site, we won't delete the cookie. 17:18:40 ...we want to use the interaction as the intentional action by the user...I've seen that I'm on the site. 17:19:07 ...I'm mostly interested in payments use cases where the user is redirected WITHOUT USER AWARENESS. 17:19:27 SameerT: even if interaction is happening in an iframe? 17:19:33 Ben: No, it would have to be in 1p 17:19:43 smcgruer_[EST]: And note that invisible bounces would have to set state 17:20:03 Ben: I don't know whether we've decided whether iframe in same TLD would be exempted. 17:20:08 q? 17:20:12 q+ 17:20:32 SameerT: Two use cases in payments we care about: (1) user recognition (2) user interactions with a cross-origin iframe such as the issuer. 17:20:46 NickTR: But there is user interaction in that 3p context. 17:21:45 Ben: Is there a scenario with an invisible bounce from a cross-origin iframe? 17:22:01 q? 17:22:03 clinton has joined #wpwg 17:22:14 q- 17:22:15 ack Ian 17:22:19 q+ 17:23:07 ian: specific ux helps solve the classification problem 17:23:35 laka has joined #wpwg 17:24:16 q- 17:24:23 ...then the question becomes "how do we know that a problem with deserves UX" 17:24:38 s/with deserves/that deserves/ 17:24:53 q? 17:25:18 q? 17:25:32 ack wan 17:25:32 wanderview, you wanted to respond 17:25:39 ack sam 17:25:42 ack benoit 17:26:17 dezell has joined #wpwg 17:26:36 q? 17:26:45 benoit: When a bank tries to recognize you (the issuer), typically they are looking to see whether you are using a device they recognize. Then in the subsequent purchase they may redirect you in the background to a site where they check to see whether this is the same device. 17:27:31 ...there are also PCI issues that might be relevant to payments use cases. 17:28:17 Could 3DS Method URL fall into this scope ? 17:28:46 Ben: In a scenario where there's only ever been an interaction in an iframe, I think that iframe partitioning will break the use case (rather than redirect) 17:29:41 q? 17:29:46 ...if the user interacts with the site during a step-up, then some storage would not be deleted. 17:29:48 ack clinton 17:30:09 q+ 17:30:15 clinton: Recognizing that you came into the room with a simple request, I think that there are some use cases ... unlikely we will solve today. 17:31:36 Devin: I would guess (without really knowing) that Safari is even more strict. If you already support Safari, may not notice. 17:31:38 ack rbyers 17:31:44 zakim, close the queue 17:31:44 ok, nicktr, the speaker queue is closed 17:32:02 rbyers: There's a principle here which is: when a browser sends information from one entity to another, users want to be able to intercede. 17:32:33 ...where are there use cases where information is shared with invisible third parties. 17:33:10 ...something like SPC is helpful to make clear where information is being shared 17:33:13 I have made the request to generate https://www.w3.org/2022/09/13-wpwg-minutes.html Ian 17:33:22 present+ Jean-Yves_Rossi 17:33:32 present+ Jean-Luc_Di_Manno 17:33:42 present+ Xu_Lin 17:34:04 ack dezell 17:34:04 dezell, you wanted to ask about a historical lens 17:34:49 dezell: Back to the point about merchants participating in stds bodies, at NACS we do surveys. We hear different answers from developers and from business people. 17:35:30 dezell: Some pain points include hardware support, edge computing 17:35:36 I have made the request to generate https://www.w3.org/2022/09/13-wpwg-minutes.html Ian 17:36:00 q+ 17:36:38 zakim, open the queue 17:36:38 ok, nicktr, the speaker queue is open 17:36:52 q+ clinton 17:37:19 dezell: One observation about the merchant BG is that we tried during COVID; might be worth trying again. 17:37:28 ack clinton 17:37:51 clinton: I think that there's a lot of need within the industry to create some level of consistency with payments. There's an option question about boundary between shopping and payments. 17:38:01 ...there are many industry bodies trying to understand their scope. 17:38:05 ...I could support a CG for merchants,. 17:38:11 magda_sypula: +1 17:38:15 ...Apple would be interested. 17:38:41 [Coffee for 22 minutes] 17:38:45 I have made the request to generate https://www.w3.org/2022/09/13-wpwg-minutes.html Ian 17:41:13 laka has joined #wpwg 17:55:36 laka has joined #wpwg 18:03:30 Rose has joined #wpwg 18:05:19 Topic: Privacy issues related to PR API and Payment Handler 18:05:52 clinton has joined #wpwg 18:06:47 ChristianA has joined #wpwg 18:06:49 smcgruer_[EST]: Part of this presentation is about payment handlers, but also helps to communicate how Google his thinking generally about privacy 18:07:37 Takashi_ has joined #wpwg 18:08:10 [Recap of payment handlers, and demo of payment handlers on Chrome] 18:08:31 smcgruer_[EST]: Some challenges with pop-ups - e.g., users lose them. 18:09:00 ...payment handler creates a tab modal window ... you can't get back to window content unless you interact with the modal window. 18:09:51 ...on mobile, the UX is very different...without payment handler, the only way you can get to a payment app is open a new tab which completely hides the underlying page 18:10:15 ..but payment handler gives a native-like payment experience with a smaller modal window that takes up only a portion of the mobile screen 18:11:42 ...note that payment apps are service workers with web pages; this will be part of the story. 18:11:52 ...the payment handler is considered a 1p context (equivalent to a popup) 18:15:25 [Stephen revisits the payment handler architecture] 18:21:09 q? 18:21:12 [Privacy Sandbox revisited] 18:22:45 q+ 18:23:12 [smcgruer_[EST] gives a rough definition of the anti-tracking goals of the privacy sandbox and similar efforts in other browsers] 18:23:15 ack SameerT 18:24:09 SameerT: Cardholders sign agreements with banks that some data will be collected for fraud collection. Suppose that's an agreement with b.com. 18:24:22 ..when the browse on a.com, the consent with b.com is not known in the browser. 18:24:41 ...so is your expectation that the consent is limited to the browser context? 18:25:22 smcgruer_[EST]: It's blurry. The user can volunteer information to a site (e.g., email or cardholder) that is identifying. But in this case the user has volunteered the number. (But cf tokenization) 18:25:42 SameerT: Is the problem linking together ACS's collected data with the user-provided data? 18:26:24 smcgruer_[EST]: Those are related questions, mostly under anti-tracking efforts. 18:26:35 Ben: Cf the antifraud CG 18:26:43 q? 18:27:46 smcgruer_[EST]: We are removing 3p cookies so that the iframe doesn't know anymore who it thinks the user is. 18:27:58 [Privacy Sandbox and Payment Handler concerns] 18:28:53 -> https://github.com/rsolomakhin/webpayments/blob/gh-pages/privacy/issues/README.md List of concerns 18:29:27 smcgruer_[EST]: At a high level with payment handlers, there are a series of concerns around silent sharing of data. 18:29:38 slides from previous talk on bounce tracking: https://docs.google.com/presentation/d/1zGN4Mwti3H2UATa3s2fgAYsIKAlxC63SbDMWU6vaHsA/edit?usp=sharing&resourcekey=0-qmIzIHCgMHEdF8YjuxnWqg 18:29:51 ...so the question is: how do we build an ecosystem that works for users without allowing malicious parties sharing information that hurts the payments ecosystem. 18:30:17 ...some other questions: should we drop payment handlers and rely on popups? 18:30:32 ...or should we go further and make them more a part of the browser (but how to prevent malicious behavior) 18:30:40 ...can we do isReadyToPay in a privacy protecting way. 18:30:43 erhardbrand has joined #wpwg 18:30:52 q+ 18:31:08 ack me 18:31:10 q? 18:31:18 Ian: isReady was mostly about only showing buttons when available 18:34:23 smcgruer_[EST]: There are new techs that exist now that do similar thing (e.g., FedCM is doing something like that) 18:34:52 ...there's another one called a "fenced frame" that limits communications with parent site, and for that reason it is given more powers. 18:35:14 ...but these fenced frames have to take up space on the page 18:35:37 ...I am aware of payment apps that have isReadyToPay Apis (google pay, apple pay, shop pay) 18:35:40 q+ 18:36:04 ack clinton 18:37:21 FedCM explainer: https://github.com/fedidcg/FedCM/blob/main/explainer.md 18:37:41 q+ 18:38:17 Google One tap sign-in: https://developers.google.com/identity/gsi/web 18:38:18 [Some discussion of FedCM] 18:38:31 smcgruer_[EST]: People have N identities on the web 18:38:33 ...not just one 18:38:40 ack Rose 18:38:59 Rose: With isReadyToPay, how do you know that the user is logged into a payment app? 18:39:50 smcgruer_[EST]: the canmakepaymentevent is fired to a service worker. It's a 1p context. It can make a network request to a parent web site to find out, e.g., whether the user is logged in 18:40:05 Rose: You wouldn't want to not show the button just because they are not logged in, right? 18:40:19 smcgruer_[EST]: Some merchants, I believe, want to only show buttons if the user is logged in 18:40:37 ...but it's an edge case; some payment app providers always want the button shown 18:40:52 q? 18:41:36 Hemnath has joined #wpwg 18:41:40 nicktr: Regarding opening the modal window, I think that only use case for that was the super-accelerated payment user experience. 18:41:50 Sami has joined #Wpwg 18:42:05 smcgruer_[EST]: We are confident that we will require a window to be opened. 18:42:52 nick: If you have more than one instrument that you could pay with, you will always get a sheet to pick a handler. 18:44:09 q? 18:44:44 nick: Payment handlers is the way we keep the ecosystem open 18:44:55 erhardbrand has joined #wpwg 18:44:55 laka has joined #wpwg 18:44:57 q+ 18:44:57 q+ 18:45:06 clinton_ has joined #wpwg 18:45:37 q+ 18:45:43 ack rbyers 18:46:04 rbyers: Not only do we want an open ecosystem, our integration with Google Pay works as a payment handler 18:46:19 ack erhardbrand 18:46:38 erhardbrand: Can I invoke FIDO within a payment handler? 18:46:42 smcgruer_[EST]: That *should* work. 18:46:57 smcgruer_[EST]: Not everything works in the payment handler modal window. 18:49:04 q? 18:49:09 ack clinton_ 18:50:06 https://www.w3.org/2022/09/TPAC/breakouts.html 18:50:36 magda_sypula has joined #wpwg 18:51:01 q? 18:51:40 I have made the request to generate https://www.w3.org/2022/09/13-wpwg-minutes.html Ian 18:52:15 Ian: What happens next? 18:52:26 praveenas has joined #wpwg 18:52:41 smcgruer_[EST]: We are looking at making some changes in our implementation of PR API; some of those may not require changes to specs. 18:52:53 ...for others we will do pull requests against (mostly) the payment handler API 18:53:12 ...but the bigger question is: if we chip away at payment handler API, do we remove its value? 18:53:45 ...as a reminder, think more broadly about how this topic (privacy sandbox) affects various payment flows. 18:54:12 I have made the request to generate https://www.w3.org/2022/09/13-wpwg-minutes.html Ian 18:55:31 Next teleconference: 29 Sep 18:55:31 Nick: Thanks everyone! 18:55:36 I have made the request to generate https://www.w3.org/2022/09/13-wpwg-minutes.html Ian 19:34:48 laka has joined #wpwg 19:46:01 laka has joined #wpwg 19:59:38 praveenas has joined #wpwg 20:02:22 takashi has joined #wpwg 20:06:25 wonsuk has joined #wpwg 20:06:35 careyf has joined #wpwg 20:08:33 npm has joined #wpwg 20:09:32 benoit has joined #wpwg 20:10:49 Uchi has joined #wpwg 20:15:54 for those (like me) who were a bit lost about what's going on, apparently we're in slack not IRC 20:16:32 to join the w3c slack, you ned to first generate an invitation here -> https://www.w3.org/slack-w3ccommunity-invite 20:17:12 and then go to the channel #antifraud-tpac in the w3c community slack instance 20:17:30 I don't know how slack queuing works 20:18:22 https://docs.google.com/document/d/1W6uCLSI5ZEJf35_mnUrc-PgLViLHv7ajetyiU_zXFlM/edit#heading=h.449emh79bbfu 20:18:40 oh, apparently, the queue is in a google doc here -> https://docs.google.com/document/d/1W6uCLSI5ZEJf35_mnUrc-PgLViLHv7ajetyiU_zXFlM/edit#heading=h.449emh79bbfu 20:23:48 Zakim FTW! 20:39:41 laka has joined #wpwg 20:40:07 laka_ has joined #wpwg 20:42:56 laka_ has joined #wpwg 20:59:57 Zakim has left #wpwg 22:55:35 dcrousso_ has joined #wpwg