Reject PaymentRequest.show with SecurityError DOMException if it is not triggered by user activation

Misc

Allowing PaymentRequest.show() to be triggered without a user activation could be abused by malicious websites. To protect users, the spec has been changed to require user activation.

Specification

Established standard

Status in Chromium

Blink components: Blink>Payments

In development (tracking bug)

Consensus & Standardization

After a feature ships in Chrome, the values listed here are not guaranteed to be up to date.

Firefox: In development
Edge: No public signals
Safari: Shipped
Web Developers: No signals

Owner

gogerald@chromium.org

Last updated on 2019-05-21