Nit: shall we disable JIT as well? Downloading and parsing payment method and app manifests looks not very harmful if users are already in that web page? 

And show just hide JIT handlers?

Let's disable JIT. PaymentRequest.show() without user gesture should be rare and we want it to go away entirely. Removing JIT from this situtation is a good insentive for merchants to fix their code. At the same time, those who we know need JIT now should not be broken by this requirement.

Shall we consider clicking 'Pay' is a user gesture? Sorry to scatter these information in three messages, typing when thinking :).

Sure. That makes sense. So we should disable only the skip-UI when there's no user gesture.

https://crrev.com/c/993412

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/833f851bc53d2eb84e93be47009583878d751194

commit 833f851bc53d2eb84e93be47009583878d751194
Author: Rouslan Solomakhin <rouslan@chromium.org>
Date: Tue Apr 03 23:19:25 2018

[Payment Request] Require user gesture for skip-UI.

Before this patch, calling `new PaymentRequest(https://foo.com).show()`
without a user gesture could skip the payment sheet and go directly into
the payment handler for https://foo.com, i.e., the skip-UI flow.

This patch passes the user gesture flag from the renderer to the browser
and prevents the skip-UI flow for the cases when show() was called
without a user gesture.

After this patch, calling `new PaymentRequest(https://foo.com).show()`
without a user gesture will show the payment sheet, so the user will
have to explicitly provide the user gesture by tapping the "Pay" button
in the payment sheet before invoking the payment app.

Bug:  828427 
Change-Id: Iaea5fe3ede1bbd4b68f2c06f63bde4bd36a38e43
Reviewed-on: https://chromium-review.googlesource.com/993412
Reviewed-by: Chris Palmer <palmer@chromium.org>
Reviewed-by: anthonyvd <anthonyvd@chromium.org>
Commit-Queue: Rouslan Solomakhin <rouslan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#547862}
[modify] https://crrev.com/833f851bc53d2eb84e93be47009583878d751194/chrome/android/java/src/org/chromium/chrome/browser/payments/PaymentRequestFactory.java
[modify] https://crrev.com/833f851bc53d2eb84e93be47009583878d751194/chrome/android/java/src/org/chromium/chrome/browser/payments/PaymentRequestImpl.java
[modify] https://crrev.com/833f851bc53d2eb84e93be47009583878d751194/components/payments/content/payment_request.cc
[modify] https://crrev.com/833f851bc53d2eb84e93be47009583878d751194/components/payments/content/payment_request.h
[modify] https://crrev.com/833f851bc53d2eb84e93be47009583878d751194/third_party/WebKit/Source/modules/payments/PaymentRequest.cpp
[modify] https://crrev.com/833f851bc53d2eb84e93be47009583878d751194/third_party/WebKit/public/platform/modules/payments/payment_request.mojom

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/d5ccecda0fa773e0d71a36a2c88af2f7af1632d8

commit d5ccecda0fa773e0d71a36a2c88af2f7af1632d8
Author: Rouslan Solomakhin <rouslan@chromium.org>
Date: Fri Apr 13 01:29:27 2018

[Payment Request] Configurable skip-UI user gesture requirement.

This patch adds the ability for implementers of PaymentInstrument
interface to determine whether skipping the payment sheet into this
instrument should require a user gesture. By default, the user gesture
is required for the skip UI flow.

Bug:  828427 
Change-Id: Id6878c7d0d9bef71da7734d2efec3fd6002fe282
Reviewed-on: https://chromium-review.googlesource.com/1010975
Reviewed-by: anthonyvd <anthonyvd@chromium.org>
Commit-Queue: Rouslan Solomakhin <rouslan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#550461}
[modify] https://crrev.com/d5ccecda0fa773e0d71a36a2c88af2f7af1632d8/chrome/android/java/src/org/chromium/chrome/browser/payments/PaymentInstrument.java
[modify] https://crrev.com/d5ccecda0fa773e0d71a36a2c88af2f7af1632d8/chrome/android/java/src/org/chromium/chrome/browser/payments/PaymentRequestImpl.java

The following revision refers to this bug:
  https://chrome-internal.googlesource.com/clank/internal/apps/+/9a8a223920c4a3d81937c717fab36c2983245875

commit 9a8a223920c4a3d81937c717fab36c2983245875
Author: Rouslan Solomakhin <rouslan@chromium.org>
Date: Fri Apr 13 15:21:59 2018

Need to merge https://crrev.com/d5ccecda0fa773e0d71a36a2c88af2f7af1632d8 and    https://chrome-internal.googlesource.com/clank/internal/apps/+/9a8a223920c4a3d81937c717fab36c2983245875 into M-67 to avoid breaking some existing flows.

Your change meets the bar and is auto-approved for M67. Please go ahead and merge the CL to branch 3396 manually. Please contact milestone owner if you have questions.
Owners: cmasso@(Android), cmasso@(iOS), kbleicher@(ChromeOS), govind@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Pls merge your change to M67 branch 3396 by 1:00 PM PT Monday (04/16/18) so we can pick it up for next M67 dev release. Thank you.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/3063dc620b55358342f0ecc306dc571ec42c0d13

commit 3063dc620b55358342f0ecc306dc571ec42c0d13
Author: Rouslan Solomakhin <rouslan@chromium.org>
Date: Mon Apr 16 13:46:47 2018

[Merge M67][Payment Request] Configurable skip-UI user gesture requirement.

This patch adds the ability for implementers of PaymentInstrument
interface to determine whether skipping the payment sheet into this
instrument should require a user gesture. By default, the user gesture
is required for the skip UI flow.

TBR=rouslan@chromium.org

(cherry picked from commit d5ccecda0fa773e0d71a36a2c88af2f7af1632d8)

Bug:  828427 
Change-Id: Id6878c7d0d9bef71da7734d2efec3fd6002fe282
Reviewed-on: https://chromium-review.googlesource.com/1010975
Reviewed-by: anthonyvd <anthonyvd@chromium.org>
Commit-Queue: Rouslan Solomakhin <rouslan@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#550461}
Reviewed-on: https://chromium-review.googlesource.com/1013608
Reviewed-by: Rouslan Solomakhin <rouslan@chromium.org>
Cr-Commit-Position: refs/branch-heads/3396@{#13}
Cr-Branched-From: 9ef2aa869bc7bc0c089e255d698cca6e47d6b038-refs/heads/master@{#550428}
[modify] https://crrev.com/3063dc620b55358342f0ecc306dc571ec42c0d13/chrome/android/java/src/org/chromium/chrome/browser/payments/PaymentInstrument.java
[modify] https://crrev.com/3063dc620b55358342f0ecc306dc571ec42c0d13/chrome/android/java/src/org/chromium/chrome/browser/payments/PaymentRequestImpl.java

The following revision refers to this bug:
  https://chrome-internal.googlesource.com/clank/internal/apps/+/91660f3123a59308536893e09d9cf9254f3c904b

commit 91660f3123a59308536893e09d9cf9254f3c904b
Author: Rouslan Solomakhin <rouslan@chromium.org>
Date: Mon Apr 16 13:52:14 2018

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/d5ccecda0fa773e0d71a36a2c88af2f7af1632d8

commit d5ccecda0fa773e0d71a36a2c88af2f7af1632d8
Author: Rouslan Solomakhin <rouslan@chromium.org>
Date: Fri Apr 13 01:29:27 2018

[Payment Request] Configurable skip-UI user gesture requirement.

This patch adds the ability for implementers of PaymentInstrument
interface to determine whether skipping the payment sheet into this
instrument should require a user gesture. By default, the user gesture
is required for the skip UI flow.

Bug:  828427 
Change-Id: Id6878c7d0d9bef71da7734d2efec3fd6002fe282
Reviewed-on: https://chromium-review.googlesource.com/1010975
Reviewed-by: anthonyvd <anthonyvd@chromium.org>
Commit-Queue: Rouslan Solomakhin <rouslan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#550461}
[modify] https://crrev.com/d5ccecda0fa773e0d71a36a2c88af2f7af1632d8/chrome/android/java/src/org/chromium/chrome/browser/payments/PaymentInstrument.java
[modify] https://crrev.com/d5ccecda0fa773e0d71a36a2c88af2f7af1632d8/chrome/android/java/src/org/chromium/chrome/browser/payments/PaymentRequestImpl.java