diff --git a/index.html b/index.html index 93fe6e2e..66b16995 100644 --- a/index.html +++ b/index.html @@ -1003,15 +1003,31 @@
+ This allows the user agent to not require user activation, for + example to support redirect flows where a user activation may + not be present upon redirect. See + for security + considerations. +
++ See also + + issue #1022 for discussion around providing more guidance + in the specification on when user agents should or should not + require a user activation for {{PaymentRequest/show()}}. +
++ If the user agent does not require user activation as part of the + {{PaymentRequest/show()}} method, some additional security mitigations + should be considered. Not requiring user activation increases the risk + of spam and click-jacking attacks, by allowing a Payment Request UI + to be initiated without the user interacting with the page immediately + beforehand. +
++ In order to mitigate spam, the user agent may decide to enforce a user + activation requirement after some threshold, for example after the + user has already been shown a Payment Request UI without a user + activation on the current page. In order to mitigate click-jacking + attacks, the user agent may implement a time threshold in which clicks + are ignored immediately after a dialog is shown. +
++ Another relevant mitigation exists in step 6 of + {{PaymentRequest/show()}}, where the document must be visible in order + to initiate the user interaction. +
+