[mt] This is a terrible idea.

Looking to close with unsatisfied. Martin will draft something that will likely be very spicy. Jeffrey will help make that less overtly offensive.

Jeffrey: close to closing, comments from me and Martin

Tess: wasn't super enthused about the start of your comment. What is the use case we agree with? Having pay buttons on the web at all?

Jeffrey: the idea that having a pay button that you click on then there's no information to help you with paying is a bad experience

Tess: right now you get to a checkout page and there's paypal and apple pay and google pay etc and you click on one of the buttons. And it works or doesn't. The use case they're trying to solve specifically is I don't remember offhand as a user if I provisioned a card yet in apple pay and the button on the page doesn't suggest to me whether I have or not so I don't know if clicking on that button will be faster or slower than filling out the form myself

Jeffrey: you click apple pay, it didn't work, you click paypal, that's another part. It didn't tell you you should use paypal not apple pay

Tess: it couldn't have known that beforehand. I'm wary of describing the use case of anything vaguer than trying to make that button look like you've already configured google pay so you can trust that you can be faster to click on it than not. That's the actual use case. We already have payment request. It has to be more specific than an api that already exists.

Jeffrey: Right. That was meant as context for the rest. Shortening that makes sense. My goal is to identiy a reasonable use case.

Tess: i suspect I could get behind some description of the use case

Matthew: I've read both comments, Jeffrey's is more dispassionate. It can't be misinterpreted as us saying they're bad. The bit I had most concern with was the very start in much the same way. The approach is constructive. We talked about how much work we want to give them. Not sure we have consensus on the use case.

Jeffrey: happy to redraft first paragraph

Matthew: the fedid people want to pull login providers out of the webpage and into the browser. Is this a stepping stone to that?

Jeffrey: the way fedcm works in chrome is it sticks this sort of information inside of the content area in a way that we should dislike. The shape of the api would allow a browser to pull it out of the content area, but the implementation hasn't done that. We should say something about fedcm, connected to this issue. But it's also separate, it's a UI choice chrome has made not required by the api shape.

Peter: if the use case is knowing you've provisioned google pay or apple pay, isn't that provided by th epayment request api?

Tess: there's a query method to ask if a payment method is supported. That will not say is a card provisioned at apple pay or not. Don't think there's api to tell you there's a card provisioned. Fingerprinting risk.

Peter: is there a way to provide functionality to the user without exposing it to the webpage

Tess: payment request.. you get the UI.. at that point when you see that screen you'll know if you've provisioned a card or not, because it'll be filled out or it won't. They're trying to shortcut that.

Peter: have you already selected the payment provider at that point?

Tess: depends on the browser. In Safari Apple Pay is the only payment provider supported. In a browser that supports others you'd have to have a way of selecting them.

Peter: presuming there's multiple if the browser is going to present the ui to choose the payment method, the browser can tell the user which is provisioned..

Tess: depends on the relationship between the browser and the payment method and the apis available, it might not have any way of knowing

Jeffrey: Shopify wants this and are not a payment provider

Peter: in general we tend to recommend instead of a broad api that exposes user information in js, just use this platform api and let the browser handle all of it. I'd like to have that response here. Just use payment request api, solve them in payment request. If there's a problem why you can't use payment request, let's fix payment request

Jeffrey: that has not been convincing to the payment providers. My impression is they don't want to outsource their UI to the browsers. When we force them to they have specific requests about what exactly the UI should look like becuase of their legal teams.

Peter: this is the payment providers

Jeffrey: Stripe and friends

Peter: that would be handling the transiaction.. are not wanting to work with the browsers?

Jeffrey: they did work with us in the context of the webauthn integration. They had to. They insisted in precise language in the opt outs inside the browser UI. That was for one piece of their authn flow. Getting the entire payment flow into the browser will be even more of that.

Peter: disappointing but understandable. That would be the better direction, rather than opening up other weird escape hatches.

Jeffrey: we are suggesting this might be attainable by sticking some UI into the browser chrome rather than the page. Of course it's a security problem if the page controls what's in the browser chrome

Peter: not the content, but the page can influence what gets to show up by opting into different providers

Jeffrey: folks also wondered if the actual attack we're worried about is reasonable for payment. If we stick the credit card number in the page is that likely to trick users into thinking the've given the page their credit card number already and will that change their behaviour?

Tess: we know it does because they're justifying this api on that basis

Jeffrey: but is it because it's tricking the user? they can do research to answer that and they should. Not obvious which way it comes out.

Peter: even if you say overwhelmingly it's just a confidence thing, there will be some people who think they've been there before and it's saved their card

Jeffrey: what fraction of tricked users is acceptable

Jeffrey: Martin wrote a draft comment...

Peter: we did discuss at the Seattle f2f...

Yves: we concluded that it was a potentially deceptive pattern - you may feel you have done business with these people...

Jeffrey: the core use case is telling the user that clicking this button will do something for them - prefilling credit card number, for example.

Peter: how do you enable a feature like that in a way that is not deceptive.

Tess: put the info that is cross-site outside of the viewport. People don't have a mental model that includes iframes...

Jeffrey: I'll propose some new text...

Dan: would an alert in the browser chrome make sense?

Jeffrey: we can ask the proposers for user research that indicates why there has been a change of behaviour (e.g. increase in "conversion")

Jeffrey: I don't think we're ready to post a position yet ... Martin and I have been going back and forth on this ... concerns about the use cases ... many TAG members seem to be OK with the "NASCAR" use case - i.e. removing the need to have all the payment type buttons. But we might have to just say there's disagreement on the use cases / disagreement on the solution...

... then there is a question of what to do with the overall fenced frames feature - don't know what the use cases are without this (#838) or protected audience. #975 is one of the uses for fenced frames ...

... don't think fenced frames relies on protected audience but another use supports protected audience ...

... one thing the developer team might come back with - is a general argument embedding in the web ... "we want to do authenticated embeds" and the TAG might say "unpermissioned authenticated embeds are bad". Storage Access and FedCM as alternatives - "do we have permission to join your identity".. We don't have a solution for embeds that don't join identities.

Hadley: I think we havea fundamental problem with it...

Jeffrey: I see a use case for an embedded google doc - if the UA is incharge of the UI... If you don't let the embedded page knowledge... Render the embedded page as if it were top level - and that it's not exposed to the surrounding page.

Hadley: isn't that still partitioned?

Jeffrey: yes that's .. segregated data .. supposed to act like it's partitioned. The thing we're worried about is showing the other partition inside of the current page. If the UA rendered a google docs document as if it's a top level navigation and placed it in the ... top level area of another page - maybe the UA could do something that's sufficiently clear... Not sure that would work but it seems the most plausible...

Jeffrey: Martin, I'd like to know more about what you think are the use cases? What do you hate about tbe nascar thing?

Martin: nothing in the soultion allows us to distinguish between that use case and the abuse cases. This seems to enable abuse and doesn't enable the things I think I care about. Nascar: you ahve to log in with one of the 500 different id providers, and you have to find it out of this giant grid. We have a solution for that: FedCM, and the browser knows which of those identities you have.

Then we don't have all the abuse and deception.

Jeffrey: so the idea is represent all the payment and this provider has some info to fill in treat those login cases?

Martin: or similar. Different flow for payments, but yes.

Jeffrey: I can put in suggested comment.

Martin: whether or not this is so bad we object? I would. Not sure if we have consensus there

Jeffrey: I don't think there's a problem with saying this solution is objectionable. I was trying to phrase it effectively.

Martin: there is a piece of the problem that is useful. We should focus on that.

Talking about web payments and fedCM -- examples of where the browser can mediate these things. constructive way to do it.