Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Is paypment request gated behind https? #658

Closed
jdalton opened this issue Dec 8, 2017 · 7 comments
Closed

Is paypment request gated behind https? #658

jdalton opened this issue Dec 8, 2017 · 7 comments

Comments

@jdalton
Copy link
Member

jdalton commented Dec 8, 2017

Is it spec'ed whether the payment request API works on pages running on the file:///?
Example: A dev opens a page locally (not on localhost) to test the API.
@romandev
Copy link
Member

romandev commented Dec 8, 2017

PaymentRequest is only allowed in SecureContext.
https://w3c.github.io/payment-request/#paymentrequest-interface

@marcoscaceres
Copy link
Member

@jdalton, as @romandev stated, the API is only exposed in "SecureContext". You can read about what that means (but effectively, yes - only HTTPS, no file://): https://heycam.github.io/webidl/#SecureContext

@jdalton
Copy link
Member Author

jdalton commented Dec 8, 2017

Thanks!

@rsolomakhin
Copy link
Collaborator

FYI, Chrome considers the following to be secure contexts, which allow PaymentRequest per spec:

One interesting edge case is invalid HTTPS certificate. In this case, Chrome shows an interstitial alerting the user to dangers of proceeding. If the user elects to proceed, the context is considered secure, so Chrome allows PaymentRequest to match the spec, but the API is neutered:

  1. .canMakePayment() always returns false.
  2. .show() always rejects with NotSupportedError.
  3. The UI is never shown.

You can observe this behavior on https://self-signed.badssl.com/input/web-payment/ for example.

@ianbjacobs
Copy link
Collaborator

Hi @marcoscaceres and @rsolomakhin,

Did you answer the question differently from one another? It seems Chrome would allow use of PR API with "file:" but @marcoscaceres seems to suggest Firefox would not.

Am I reading that correctly?

Whatever the outcome, I'd like to add to the FAQ [1].

Ian

[1] https://github.com/w3c/payment-request-info/wiki/FAQ/

@rsolomakhin
Copy link
Collaborator

@ianbjacobs: The spec allows PaymentRequest in "secure context," which includes file:// in Chrome, but not in Firefox, from what I understand. This is a good item to add to the FAQ.

@ianbjacobs
Copy link
Collaborator

MDN documentation [1] says: "Locally delivered files such as http://localhost and file:// paths are considered to have been delivered securely."

Ian

[1] https://developer.mozilla.org/en-US/docs/Web/Security/Secure_Contexts

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@jdalton @marcoscaceres @rsolomakhin @romandev @ianbjacobs