W3C

SPC Task Force

31 January 2022

Attendees

Present
Clinton Allen (American Express), Doug Fisher (Visa), Ian Jacobs (W3C), John Bradley (Yubico), Nick Burris (Google), Rolf Lindemann (Nok Nok Labs), Sameer Tare (Mastercard), Stephen McGruer (Google), Werner Bruinings (American Express)
Regrets
Jean-Carlo Emer (Stripe), Praveena Subrahmanyam (Airbnb)
Chair
Ian
Scribe
Ian

Meeting minutes

Proposal to address issue 125 (failed icon download)

Proposal

smcgruer_[EST]: Proposal is optional input to say "ok if it doesn't download"
… question of whether it's possible to remove a WebIDL field.

John_Bradley: Some concerns about "removal"; zeroing may be more reliable behavior

Doug: What is the status of "placeholder" versus "removal"?
… I would prefer placeholder rather than no icon

Ian: What type of icon do you mean?

Doug: Browser-based

smcgruer_[EST]: I hear 2 things:

a) Did the browser show something or literally nothing?

b) If the browser shows something, it would be a PNG that shipped with the browser.

Doug: From a validator POV, you'd always be able to verify that either the proper card art was shown, or a default logo for the browser was shown.

John: The browser could also use a URL or URN here.

IJ: Is there a difference from the perspective of the validator?

JohN: The merchant can always tamper with the card art URL.
… you need to validate the assertion in all cases
… might make server side processing easier if there's always the same data type (e.g., a URL)

Doug: I think the boolean would be useful for the validator.

Doug: Possibly from a UI perspective I would like to "not see something wrong" (e.g., missing card art)
… I would not want it to look different each time; would like to see a persistent backup.

John_Bradley: The question of "typing" might be why Stripe wanted the member removed rather than being empty; we should get their input.

Rolf: What is the clear statement of the problem?
… is the attack a dynamic URL? Bad icon?

smcgruer_[EST]: The background to the original request for this functionality is that there are users of SPC who do not mind if the card art doesn't show.
… or e.g., CSP policy or other issues got in the way, and callers were ok with failure.

Ian: I suggest decoupling data from UX. And saying UX could / should include generic card art

John_Bradley: Yes, saying "show generic card art" or similar

Ian: It's not necessarily cards.

John_Bradley: Right, generic instrument icon

<smcgruer_[EST]> https://www.irccloud.com/pastebin/0Ov42m1s/

John_Bradley: I think it's fair to say a generic instrument icon should be displayed when this error happens.

smcgruer_[EST]: I think the PR is ready to go; please leave a comment on the PR.

New issue 172: Opt-out link enhancement

https://github.com/w3c/secure-payment-confirmation/issues/172

[Stephen summarizes 172]
… Stripe feels that some feature like this is necessary for them to use SPC

John: What is diff between opt-out and cancel?

<Ian> Next meeting: 7 February

Minutes manually created (not a transcript), formatted by scribe.perl version 185 (Thu Dec 2 18:51:55 2021 UTC).