Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Disallow ambiguous methodData declarations? #905

Closed
crowgames opened this issue Apr 1, 2020 · 5 comments · Fixed by #908
Closed

Disallow ambiguous methodData declarations? #905

crowgames opened this issue Apr 1, 2020 · 5 comments · Fixed by #908
Assignees
@marcoscaceres
Labels
Has Pull Request

Comments

@crowgames
Copy link

In my Masters' thesis, I found a set of issues with the Web Payment APIs (see #903 for further reference). This is one of the mentioned issues.

The current specification allows for methodData declarations that have the following form:

const methodData = [
  {
    supportedMethods: "https://example.com/bobpay",
    data: {
      merchantIdentifier: "XXXX",
      bobPaySpecificField: true,
    },
  },
  {
    supportedMethods: "https://example.com/bobpay",
    data: {
      merchantIdentifier: "YYYY",
      bobPaySpecificField: true,
    },
  },
];

Such an ambiguous methodData declaration (two different entries for a single payment method identifier), is not further discussed by the spec.
If a payment handler and/or the trusted payment UI are inconsistent regarding which entry they use, this might have serious implications (such as diferent merchants receiving the payment).
This especially holds true for potential future named payment methods such as basic-card.

In case of the declaration of modifiers, the spec offers a "last-one-wins" approach.
I advocate that such ambiguous methodData declarations should not be allowed at all, at the very least they should be mentioned to raise awareness.
In my opinion they should lead to an erroneous case on payment request creation.
@ianbjacobs
Copy link
Collaborator

Thanks @crowgames!

@rsolomakhin, @aestes, @marcoscaceres, @romandev do you have any thoughts on this? I hear some options are:

  1. Adopt a last-one-wins approach as done with modifiers
    Define handling of multiple applicable modifiers #824
  2. Throw an error
  3. Leave as is. If so, what are the use cases that support this?
  4. Other?

Thanks!

Ian

@marcoscaceres
Copy link
Member

Let's throw. I can't think of a use case for having multiple.

@marcoscaceres marcoscaceres mentioned this issue Apr 27, 2020
Merged
8 tasks
@marcoscaceres marcoscaceres self-assigned this Apr 27, 2020
@ianbjacobs
Copy link
Collaborator

@danyao and @Rouslan, I think I heard today support for this. Could you +1? Thanks!

@danyao
Copy link
Collaborator

danyao commented May 8, 2020

+1 to throwing. It seems to me that a well-formed request should never have this shape and it's pretty easy for a developer to detect if they accidentally create an error. So throwing seems the simplest way to handle it.

@w3c w3c deleted a comment from Tom333Trinity May 11, 2020
@marcoscaceres
Copy link
Member

Ok, proposed PR over at #908

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@marcoscaceres marcoscaceres

Labels
Has Pull Request
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: disallow duplicate PMIs when creating request w3c/payment-request
4 participants
@marcoscaceres @ianbjacobs @crowgames @danyao