Add section on Payment Handler Matching #582
Merged
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Based on WG discussion today [1], this pull request endeavors (in a non-normative section) to:
This pull request is not more specific than that in order to make it easier to include this text in the CR draft. If there were support for being more explicit, I would be glad to mention two ways
that we are working on where payment method owners delegate authority: W3C-defined
payment method specs and Payment Method Manifest.
At this point, I have this algorithm in mind when looking at the question of matching
payment handlers from origins other then the origin of a PMI URL.
If the user agent does not find a payment method manifest, then it should not include
payment handlers from origins other than the origin of the PMI URI.
If the user agent does find a payment method manifest, but it is broken in any way,
then the user agent should not include payment handlers from origins other than
the origin of the PMI URI.
Otherwise, the user agent authorizes payment handlers from other origins
according to the payment method manifest spec.
@rsolomakhin has written a Payment Handler API pull request [2] that addresses
the origin / payment method manifest consideration for Web-based payment apps.
However, that algo might reasonably apply to native mobile apps. Thus, it feels
to me like it belongs in PR API, but I am not proposing that it be included at this time
due to CR timing considerations.
Ian
[1] https://www.w3.org/2017/08/10-wpwg-minutes
[2] w3c/payment-handler#197
Preview | Diff