fix: restore transient activation requirement in show()

index.html

@@ -1012,31 +1012,26 @@ <h2>
           <li data-tests=
           "payment-request-show-method.https.html, show-method-postmessage-manual.https.html">
           If the [=relevant global object=] of [=request=] does not have
-          [=transient activation=], the user agent MAY:
+          [=transient activation=]:
             <ol>
               <li>Return [=a promise rejected with=] with a {{"SecurityError"}}
               {{DOMException}}.
               </li>
             </ol>
             <div class="note">
-              <p>
-                This allows the user agent to not require user activation, for
-                example to support redirect flows where a user activation may
-                not be present upon redirect. See <a href=
-                "#user-activation-requirement"></a> for security
-                considerations.
-              </p>
-              <p>
-                See also <a href=
-                "https://github.com/w3c/payment-request/issues/1022">issue
-                #1022</a> for discussion around providing more guidance in the
-                specification on when user agents should or should not require
-                a user activation for {{PaymentRequest/show()}}.
-              </p>
+              Redirect flows can cause legitimate loss of transient activation
+              before a call to {{PaymentRequest/show()}}. This is a known
+              platform-wide problem affecting Payment Request, Digital
+              Credentials, WebAuthn, and other APIs that require user
+              activation. A general solution is being tracked in <a href=
+              "https://github.com/w3c/payment-request/issues/1064">issue
+              #1064</a>. Some user agents have legacy behavior that allows
+              certain calls to {{PaymentRequest/show()}} without requiring
+              user activation.
             </div>
           </li>
-          <li data-tests="show-consume-activation.https.html">Otherwise,
-          [=consume user activation=] of the [=relevant global object=].
+          <li data-tests="show-consume-activation.https.html">[=Consume user
+          activation=] of the [=relevant global object=].
           </li>
           <li>Let |document| be |request|'s [=relevant global object=]'s
           [=associated `Document`=].
@@ -4616,32 +4611,6 @@ <h2 id="canmakepayment-protections">
           opening multiple windows (tabs or pop-ups).
         </p>
       </section>
-      <section>
-        <h2 id="user-activation-requirement">
-          User activation requirement
-        </h2>
-        <p>
-          If the user agent does not require user activation as part of the
-          {{PaymentRequest/show()}} method, some additional security
-          mitigations should be considered. Not requiring user activation
-          increases the risk of spam and click-jacking attacks, by allowing a
-          Payment Request UI to be initiated without the user interacting with
-          the page immediately beforehand.
-        </p>
-        <p>
-          In order to mitigate spam, the user agent may decide to enforce a
-          user activation requirement after some threshold, for example after
-          the user has already been shown a Payment Request UI without a user
-          activation on the current page. In order to mitigate click-jacking
-          attacks, the user agent may implement a time threshold in which
-          clicks are ignored immediately after a dialog is shown.
-        </p>
-        <p>
-          Another relevant mitigation exists in step 6 of
-          {{PaymentRequest/show()}}, where the document must be visible in
-          order to initiate the user interaction.
-        </p>
-      </section>
     </section>
     <section class="informative">
       <h2>