This string/option [1] controls whether a site can check the CanMakePaymentEvent [2]. AFAIK it only exposes a set of which payment method _types_ the user agent currently supports, not any personal details beyond that. (But I'm not an expert on the spec or the implementation in Chrome.)

The PaymentHandler API spec says that user agents must allow users to disable this [3], which is the behavior Chrome follows.

Reporter: What information did this expose in your testing that you think is particularly sensitive? If it is implemented in the way I understand it, this does not seem like a security issue. Adding Privacy and Permissions components so that those teams can triage this further to decide if we want to change this behavior.

Also cc'ing zkoch@ who IIRC was PM for these features and rouslan@ who knows more about payments stuff.

[1] https://cs.chromium.org/chromium/src/components/payments_strings.grdp?q=%22Allow+sites+to+check+if+you+have+payment+methods+saved%22&sq=package:chromium&g=0&l=387
[2] https://w3c.github.io/payment-handler/#dom-canmakepaymentevent
[3] https://w3c.github.io/payment-handler/#information-about-the-user-environment

This is intentional and is by design. Not sure there's anything to do for this bug report? +durgapandey@, +gogerald@.

Thank you for the quick response. I think this option should be disabled by default and only enabled if a user requires.
If i am not wrong, accessing the payment details without the known consent of the user is a security fault.

Re comment #3: I think there is some confusion about "payment details" (cc #s, addresses, etc.) vs. "available payment methods" (do you have a payment handler that can do CC#? Internet Payment Vendor XYZ? etc.). This default-allowed permission only gives details about the later, not the former.

Notably, this does _not_ expose data from autofill. PaymentHandler/PaymentRequest actually _reduces_ the amount of personal data that is sent to the initiating site (as it allows the site to directly request a payment be processed by a separate handler).

As per comment#4, requesting reporter to respond back on it. Hence adding Needs-Feedback label.

Thanks!

As mentioned above this is working as intended. The only information is that is exposed is whether the user is able to make a payment with a specific payment method. This was not seen as too much of a privacy issue, so there is only an opt-out.