13:49:22 RRSAgent has joined #wpwg 13:49:26 logging to https://www.w3.org/2023/08/03-wpwg-irc 13:49:27 Meeting: Web Payments Working Group 13:49:33 Chair: Ian 13:49:34 Scribe: Ian 13:49:40 Agenda: https://github.com/w3c/webpayments/wiki/Agenda-20230803 13:49:43 regrets+ NickTR 13:49:48 agenda+ Roll call 13:49:53 agenda+ WPWG Charter update 13:50:02 agenda+ Shared autofill proposal 13:50:27 agenda+ Quick description of Payment Request publication plan 13:54:25 BenGagyi has joined #wpwg 13:57:37 present+ 13:57:46 present+ Andrew_Jamieson 13:57:56 koalie has joined #wpwg 13:58:13 koalie has left #wpwg 14:00:54 present+ Franck_Delache 14:00:58 present+ Rahil_Virani 14:01:03 rahilvirani has joined #wpwg 14:01:03 present+ Benedek_Gagyi 14:01:08 present+ Rouslan_Solomakhin 14:01:14 present+ Arman_Aygen 14:01:18 present+ Amine_Khalfaoui 14:01:22 present+ Steve_cole 14:01:25 fdelache has joined #wpwg 14:01:29 present+ Jean-Michel_Girard 14:01:34 present+ Gerhard_Oosthuizen 14:01:57 Gerhard has joined #wpwg 14:02:00 present+ Soumya_Chakrabarty 14:02:05 present+ 14:02:08 present+ Jen-Luc_di_Manno 14:02:35 JeanLuc has joined #WPWG 14:02:37 present+ Stephen_McGruer 14:02:50 present+ Ryan_Watkins 14:03:14 JM_Girard has joined #wpwg 14:04:35 present+ David_Benoit 14:04:53 present+ Gustavo_Kok 14:06:02 https://github.com/w3c/webpayments/wiki/Agenda-20230803 14:06:06 zakim, take up item 1 14:06:06 agendum 1 -- Roll call -- taken up [from Ian] 14:06:40 [Franck hands off Shopify relationship to Rahil Virani] 14:06:55 present+ Sameer_Tare 14:07:31 Arman has joined #WPWG 14:07:41 [Intros from Rahil and Benedek] 14:08:17 zakim, take up item 2 14:08:17 agendum 2 -- WPWG Charter update -- taken up [from Ian] 14:08:26 https://lists.w3.org/Archives/Public/public-payments-wg/2023Aug/0000.html 14:09:50 present+ Sami_Tikkala 14:12:07 zakim, take up item 3 14:12:07 agendum 3 -- Shared autofill proposal -- taken up [from Ian] 14:12:12 https://github.com/w3ctag/design-reviews/issues/831 14:12:21 present+ Doug_Fisher 14:12:48 [Presentation by Stephen McGruer] 14:13:03 smcgruer_[EST]: Autofill is typically a browser-specific feature. 14:13:17 jose-cdbtr has joined #wpwg 14:13:22 jose-cdbtr has left #wpwg 14:13:29 ...very useful for users in form-based checkout flows, which remain the majority of checkout flows. Especially valuable on mobile. 14:13:41 ...we have studies show that autofill helps users complete transactions 14:14:05 ...I'm presenting today, but lots of work on this done by Chris who could not join us today 14:15:00 [Stephen shows a form where some of the data fields are hosted by cross-origin frames: card number, expiry and cvv] 14:15:38 ...reasons have to do with PCI-DSS 14:16:05 smcgruer_[EST]: Why is the name on the card field still in the merchant's domain? (Honest question; looking for answers) 14:16:18 q+ 14:16:44 (Stephen shows autofill on name field, even though the browser has more information about saved cards) 14:17:10 smcgruer_[EST]: Autofill historically only operates on a single frame. 14:17:22 ack Gerhard 14:17:51 Gerhard: Regarding the cardholder name in the merchant domain likely relates to merchant lookup 14:18:13 Steve: I also believe that the name field is on the merchant site is that the merchant wants to retain the relationship 14:18:21 ...with the customer (even if guest checkout) 14:18:25 SameerT has joined #wpwg 14:18:28 ack Fra 14:18:48 Franck: Yes, that's the reason. On Shopify the 4 fields are in a single iframe. Name on card is not part of PCI. 14:19:09 smcgruer_[EST]: This has been a problem for a long time on the Web. 14:19:37 ...some approaches developers have taken to share autofill data include postMessage 14:19:37 q+ 14:20:02 ...this is complicated and requires invisible fields 14:20:10 ..you have to make sure not to override data 14:20:17 ...we are also not thrilled with invisible fields 14:20:53 ...so the JavaScript approach doesn't really work 14:21:01 ...we've been working on this for the past year or so on Chrome 14:21:12 ...other browsers not yet on board but we hope they will do this as well 14:21:21 several pieces of the proposal: 14:22:09 1) Fill across same-origin frames. For example, if three card fields are in the same origin, the browser can automatically fill. If you fill a field with an origin "foo" the browser will fill all frames in "foo" 14:22:14 Anne has joined #wpwg 14:22:17 ...this feature has shipped in Chrome M116 14:22:31 ...we're trying to specify this in a WhatWG specification (of HTML) 14:23:11 2) As people noticed in the demo, we filled 3 iframes of embedded PSP origin but not the parent origin (e.g., card name) 14:23:48 ...we are assuming that (independent of PCI topics) if a user has visited a parent origin AND the parent origin has embedded frames (and thus trusts them), we think it's ok to fill the parent form. 14:23:57 This is ALSO already shipping in M116. 14:24:10 ...this is harder to ship because we are "declaring" some data is less sensitive 14:24:33 q- 14:24:41 3) What if you start from the parent origin (e.g., card name). We can't arbitrarily fill iframes in other origins...that would be a huge security problem. 14:25:04 ...we can't automatically fill them. So we are proposing to add to HTML a "shared-autofill" permission policy that a parent can set on frames 14:25:41 ...this is secure from our perspective as a browser because the merchant could have just put these fields itself on its page. So as long as the parent says it trusts the iframe, then we think the data can be shared downwards 14:26:00 ...this feature has not shipped. It's available behind a flag in Chrome M116 14:26:17 smcgruer_[EST]: So I have some questions for you: 14:26:27 1) Why is merchant name part of parent frame (answered above). 14:26:39 2) If you are supportive of these three features, please let us know. The TAG has asked for a summary from the WPWG. 14:26:39 q+ 14:26:47 q+ David 14:27:17 present+ Fahad_Saleem 14:27:20 present+ Clinton_Allen 14:27:32 present+ Anne_Pouillard 14:27:41 Gerhard: These are named fields in PCI. 14:28:07 ...that leads me to the question/suggestion .. does it make sense to elevate PCI fields to another level? 14:28:38 ...you can form fill my name / address but please do not fill PCI fields. Some rules are different between PCI and things like GDPR. PCI is much more specific. 14:28:46 ...you can treat PCI differently due to regulatory requirements 14:29:13 smcgruer_[EST]: Already in autofill you can tell us types of fields. I would be open to a conversation about HOW to treat these fields differently. 14:29:51 Gerhard: Ability to pass "up"...would make sense to have a separate permission for PCI data 14:30:15 smcgruer_[EST]: I'm hearing that there might be a subclass of "shared-autofill" => "shared-autofill-nopci" or something like that. 14:30:48 ack David 14:31:09 David: Expiry is not part of sensitive data. Name and expiry are appreciated by merchants for customer service. 14:31:31 ...they like to get back from PSPS the last4 as well as name/expiry so they can do customer service without having sensitive data. 14:31:54 ...data sent back up to merchant domain puts them back into PCI scope 14:32:10 ...would break agreements they have signed 14:33:06 Andrew: The scope of the expiry depends slightly...e.g., if it's not with the PAN it's not sensitive, but if it's transmitted with PAN it must be protected. 14:33:18 ...cardholder name typically skirts around this 14:33:50 ...I think autofill permission makes sense but sounds dangerous without finer-grain protections 14:34:12 ...e.g., "these fields have more information / more sensitivity and are controlled in different ways" 14:35:19 ...at the moment I don't see any particular concerns....the general concerns are protecting data. 14:35:29 ..these types of implementations are currently topics of discussion within PCI WGs 14:35:49 ...I'd like to provide more guidance to merchants on this 14:36:11 benoit has joined #wpwg 14:36:22 Gustavo: +1 to proposals that help solve this usability issues. 14:36:57 ...name on card is not needed to process a payment. So I think it's not sensitive in the same way. It doesn't even need to be sent for the payment. 14:37:10 ...I like the ability of the merchant being able to "opt-in" by trusting fields 14:37:24 ...but can an attacker tag iframes? 14:38:02 smcgruer_[EST]: I've heard from a few people that it may be better if we can scope trust: e.g., I trust this iframe to take payment fields but not address fields or vice versa 14:38:58 ...on the topic of what can an attacker do - the attacker has to compromise the main frame in order to take over an iframe. But if the attacker has taken over a main frame, you're in much bigger trouble anyway. 14:39:17 ....permissions policies have this threat model: as long as the main frame has not been compromised you are safe 14:40:28 Benedek: You mentioned guess fields that are not tagged. What happens if guesses are wrong? 14:41:09 smcgruer_[EST]: Yes, we use heuristics to tell what types of fields are. We usually don't get credit card fields wrong. 14:41:24 rouslan has joined #wpwg 14:41:27 ...we are more likely to get address fills wrong than payment fields. 14:41:42 q+ to talk about sensitive fields being incorrectly filled into main form 14:42:09 q- 14:42:09 ...addresses are complex (e.g., some address involve landmarks); we are working on being more inclusive in addresses. 14:42:45 Benedek: Would it be possible to not fill autofill data if the fields are not tagged? 14:43:34 smcgruer_[EST]: There are so many untagged fields are are likely to to have to use heuristics 14:43:44 To capture a point that was missed; scoping the trust is hard because autofill isn't very well spec'd today - it's viewed as a browser feature. So we split it into addresses/payments/passwords , but thats just how Chrome views it 14:44:10 rouslan: Regarding accidentally accidentally up filling. I think the algorithm that stephen describes only talks about the name and not payment card fields. 14:44:10 clinton has joined #wpwg 14:44:18 smcgruer_[EST]: The problem is if we misidentify a field. 14:44:48 smcgruer_[EST]: For people who know PCI; I acknowledge this is not the same. But I assume users type card numbers into the wrong fields. 14:44:53 q+ 14:44:55 ..what happens in that case? 14:45:12 Andrew: That does happen. There are PCI requirements for how merchants handle data they get through incorrect channels. 14:45:12 q- 14:45:29 ack Gerhard 14:46:45 Ian: Should MAG discuss this? 14:46:45 Steve: Let me talk with some people internally. 14:47:39 Ian: How should we respond to TAG request? 14:48:19 smcgruer_[EST]: My intention is to go back to TAG and give my interpretation of discussion, namely: 14:48:19 a) Proposal is valuable 14:48:19 b) People are interested in further scoping permissions 14:48:19 tag feedback link again? 14:48:50 https://github.com/w3ctag/design-reviews/issues/831 14:48:51 Fahad: When you normally autofill an iframe, would you know the URL of the iframe? 14:48:55 smcgruer_[EST]: We do know the origin 14:49:44 smcgruer_[EST]: I would like to bring more autofill conversations into W3C 14:49:54 ...would be interested in a group discussion on this. 14:50:42 ACTION: Ian to discuss autofill group within W3C strategy function 14:52:34 zakim, take up item 4 14:52:34 agendum 4 -- Quick description of Payment Request publication plan -- taken up [from Ian] 14:55:45 Topic: Next meeting 14:55:46 17 August 14:55:52 No meeting on 31 August 14:56:14 I have made the request to generate https://www.w3.org/2023/08/03-wpwg-minutes.html Ian 14:56:21 clinton has left #wpwg 15:05:37 RRSAGENT, make minutes 15:05:38 I have made the request to generate https://www.w3.org/2023/08/03-wpwg-minutes.html Ian 15:05:40 RRSAGENT, set logs public