In 2021 the TAG reviewed Capability Delegation (#655) and closed it as satisfied. The work was expected to move to WHATWG. It hasn't. The last commit to the WICG repo is February 2023, and the upstreaming issue (WICG/capability-delegation#40) has had no activity.

In the absence of a general solution, specs are now solving the redirect-breaks-activation problem independently:

• Payment Request weakened the show() activation requirement from a hard requirement to a MAY in PR #1009 (June 2023), with security mitigations left to implementer discretion.
• Digital Credentials is now proposing a freebie counter that allows one activation-free credential request per global object, citing Payment Request as precedent.

Each spec is solving this locally, inconsistently, and in ways that are exploitable (the DC counter is bypassable via iframes and back/forward navigation). The precedent chain is accumulating.

This is directly relevant to the TAG's finding on preventing credential abuse, which warns against normalizing credential requests by reducing friction.

We have filed a PR on Payment Request to restore the hard requirement and replace it with a note pointing to the open problem, and a comment on the DC PR making the same case.

The question: Is there anything the TAG can do to help move Capability Delegation forward -- whether that means pushing for WHATWG uptake, issuing a finding that names the pattern and blocks per-spec workarounds, or something else? The problem is real and the gap is now producing concrete harm in multiple specs.

<!-- Content below this is maintained by @w3c-tag-bot -->

---

Track conversations at https://tag-github-bot.w3.org/gh/w3ctag/design-reviews/1213