Chris: Is this a good idea from security/privacy standpoint?

Matt: Does this console warning message sounds good?

  "Ignoring query quota for PaymentRequest.canMakePayment() on localhost and file:// scheme."

What is the quota in question, and what is it intended to protect? I don't recall having heard of it. (Possibly I'm forgetting.)

I'd rephrase the message to explain a little more, the current proposal assumes the developer knows there is a quota.

"Quota Reached for PaymentRequest.canMakePayment(). This would normally reject but allowing continued usage on localhost and file://scheme origins."

Is the intention that the quota protects servers from being overloaded, or something else?

The reason I ask is, one can imagine that an attacker would somehow (drive-by forced download + social engineering) entice a person to download an attack page, and then the person would unwittingly let the file:///Users/LordBritish/Downloads/payment-attack.html exceed the quota. But I don't know how bad it would actually be if that were to happen.

Normally my view is that servers need to take care of themselves, but I don't think I understand all the moving parts here yet.

For some context.

The API can be used to check if the user currently has a Visa card saved with Chrome, then a Mastercard, then "Payment method XYZ"  etc. 

The quota prevents people from iterating over all possible combinations to learn what is currently stored in Chrome (Note - it doesn't actually give any of the payment details to the developer, it only returns a boolean).

Ah, so it's to protect client side information. Makes sense.

How many possible options are there, and how many guesses does the quota allow?

Client side information includes whether the user has installed Android Pay or has a Visa, Mastercard, American Express, Mir, JCB, or UnionPay card.

Each iframe origin is allowed to query one subset of these per 30 minutes.

OK, great. This all sounds reasonable to me. Carry on. :)

http://crrev.com/2836443002

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/deb6be8f732a157329490e49fbfd41826757a0fd

commit deb6be8f732a157329490e49fbfd41826757a0fd
Author: rouslan <rouslan@chromium.org>
Date: Mon Apr 24 20:22:04 2017

No rate limit for canMakePayment() on localhost and file://.

Before this patch, when web developers are working on localhost or in
file:// scheme origins and calling PaymentRequest.canMakePayment() with
different payment methods, they would quickly hit a rate limit, even
though they are querying their own payment methods.

The fix is to warn the web developers on localhost and file:// scheme
origins that the quota has been reached, but to not enforce it. This
warning is printed to the developer console:

  "Quota reached for PaymentRequest.canMakePayment(). This would
   normally reject the promise, but allowing continued usage on
   localhost and file:// scheme origins."

The integration tests call
PaymentRequestImpl.setIsLocalCanMakePaymentQueryQuotaEnforcedForTest()
to mimic the production behavior.

After this patch, the web developers have the freedom to tinker with
their own computer and are aware that excessive querying in production
website will be rejected.

(Note this patch also cleans up the no longer used feature flag
"AndroidPaymentAppsFilter".)

BUG= 713217 

Review-Url: https://codereview.chromium.org/2836443002
Cr-Commit-Position: refs/heads/master@{#466734}

[modify] https://crrev.com/deb6be8f732a157329490e49fbfd41826757a0fd/chrome/android/java/src/org/chromium/chrome/browser/ChromeFeatureList.java
[modify] https://crrev.com/deb6be8f732a157329490e49fbfd41826757a0fd/chrome/android/java/src/org/chromium/chrome/browser/payments/AndroidPaymentAppFactory.java
[modify] https://crrev.com/deb6be8f732a157329490e49fbfd41826757a0fd/chrome/android/java/src/org/chromium/chrome/browser/payments/AndroidPaymentAppFinder.java
[modify] https://crrev.com/deb6be8f732a157329490e49fbfd41826757a0fd/chrome/android/java/src/org/chromium/chrome/browser/payments/PaymentRequestImpl.java
[modify] https://crrev.com/deb6be8f732a157329490e49fbfd41826757a0fd/chrome/android/javatests/src/org/chromium/chrome/browser/payments/PaymentRequestBasicCardTest.java
[modify] https://crrev.com/deb6be8f732a157329490e49fbfd41826757a0fd/chrome/android/javatests/src/org/chromium/chrome/browser/payments/PaymentRequestCcCanMakePaymentQueryTest.java
[modify] https://crrev.com/deb6be8f732a157329490e49fbfd41826757a0fd/chrome/android/javatests/src/org/chromium/chrome/browser/payments/PaymentRequestPaymentAppCanMakePaymentQueryTest.java
[modify] https://crrev.com/deb6be8f732a157329490e49fbfd41826757a0fd/chrome/android/junit/src/org/chromium/chrome/browser/payments/AndroidPaymentAppFinderTest.java
[modify] https://crrev.com/deb6be8f732a157329490e49fbfd41826757a0fd/chrome/browser/about_flags.cc
[modify] https://crrev.com/deb6be8f732a157329490e49fbfd41826757a0fd/chrome/browser/android/chrome_feature_list.cc
[modify] https://crrev.com/deb6be8f732a157329490e49fbfd41826757a0fd/chrome/browser/android/chrome_feature_list.h
[modify] https://crrev.com/deb6be8f732a157329490e49fbfd41826757a0fd/chrome/browser/flag_descriptions.cc
[modify] https://crrev.com/deb6be8f732a157329490e49fbfd41826757a0fd/chrome/browser/flag_descriptions.h
[modify] https://crrev.com/deb6be8f732a157329490e49fbfd41826757a0fd/components/payments/content/android/java/src/org/chromium/components/payments/OriginSecurityChecker.java
[modify] https://crrev.com/deb6be8f732a157329490e49fbfd41826757a0fd/components/payments/content/android/origin_security_checker_android.cc
[modify] https://crrev.com/deb6be8f732a157329490e49fbfd41826757a0fd/components/payments/content/origin_security_checker.cc
[modify] https://crrev.com/deb6be8f732a157329490e49fbfd41826757a0fd/components/payments/content/origin_security_checker.h
[modify] https://crrev.com/deb6be8f732a157329490e49fbfd41826757a0fd/components/payments/mojom/payment_request.mojom
[modify] https://crrev.com/deb6be8f732a157329490e49fbfd41826757a0fd/third_party/WebKit/Source/modules/payments/PaymentRequest.cpp