From c0052f300fdac1c67e0856deed9a217fa16eaeeb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marcos=20C=C3=A1ceres?= Date: Fri, 27 Mar 2026 18:58:06 +1100 Subject: [PATCH 1/2] fix: restore transient activation requirement in show() Reverts the MAY introduced in #1009 and removes the non-normative "User activation requirement" section that blessed the workaround. Adds a note pointing to #1064 where the platform-wide sanctioned continuation problem is being tracked. Closes #1064 --- index.html | 53 ++++++++++------------------------------------------- 1 file changed, 10 insertions(+), 43 deletions(-) diff --git a/index.html b/index.html index 75fccdf1..0e27ab03 100644 --- a/index.html +++ b/index.html @@ -1012,31 +1012,24 @@

  • If the [=relevant global object=] of [=request=] does not have - [=transient activation=], the user agent MAY: + [=transient activation=]:
    1. Return [=a promise rejected with=] with a {{"SecurityError"}} {{DOMException}}.
    -

    - This allows the user agent to not require user activation, for - example to support redirect flows where a user activation may - not be present upon redirect. See for security - considerations. -

    -

    - See also issue - #1022 for discussion around providing more guidance in the - specification on when user agents should or should not require - a user activation for {{PaymentRequest/show()}}. -

    + Redirect flows can cause legitimate loss of transient activation + before a call to {{PaymentRequest/show()}}. This is a known + platform-wide problem affecting Payment Request, Digital + Credentials, WebAuthn, and other APIs that require user + activation. A general solution is being tracked in issue + #1064.
    • -
  • Otherwise, - [=consume user activation=] of the [=relevant global object=]. +
  • [=Consume user + activation=] of the [=relevant global object=].
  • Let |document| be |request|'s [=relevant global object=]'s [=associated `Document`=]. @@ -4616,32 +4609,6 @@

    opening multiple windows (tabs or pop-ups).

    -
    -

    - User activation requirement -

    -

    - If the user agent does not require user activation as part of the - {{PaymentRequest/show()}} method, some additional security - mitigations should be considered. Not requiring user activation - increases the risk of spam and click-jacking attacks, by allowing a - Payment Request UI to be initiated without the user interacting with - the page immediately beforehand. -

    -

    - In order to mitigate spam, the user agent may decide to enforce a - user activation requirement after some threshold, for example after - the user has already been shown a Payment Request UI without a user - activation on the current page. In order to mitigate click-jacking - attacks, the user agent may implement a time threshold in which - clicks are ignored immediately after a dialog is shown. -

    -

    - Another relevant mitigation exists in step 6 of - {{PaymentRequest/show()}}, where the document must be visible in - order to initiate the user interaction. -

    -

    From 791f83726a5a356dd64e6b5fcc4d35e8df54861e Mon Sep 17 00:00:00 2001 From: Marcos Caceres Date: Mon, 11 May 2026 17:28:20 +1000 Subject: [PATCH 2/2] fix: note legacy UA behavior for activation requirement Acknowledges that some user agents have legacy behavior allowing show() without transient activation, per feedback on #1066. --- index.html | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/index.html b/index.html index 0e27ab03..467f79ab 100644 --- a/index.html +++ b/index.html @@ -1025,7 +1025,9 @@

    Credentials, WebAuthn, and other APIs that require user activation. A general solution is being tracked in issue - #1064. + #1064. Some user agents have legacy behavior that allows + certain calls to {{PaymentRequest/show()}} without requiring + user activation.

  • [=Consume user