Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add section on Payment Handler Matching #582

Merged
merged 2 commits into from Aug 11, 2017
Merged

Add section on Payment Handler Matching #582

merged 2 commits into from Aug 11, 2017

Conversation

ianbjacobs
Copy link
Collaborator

@ianbjacobs ianbjacobs commented Aug 10, 2017
edited by pr-preview bot

Based on WG discussion today [1], this pull request endeavors (in a non-normative section) to:

  • Raise awareness that for security reasons a user agent might not include a payment handler from an origin other than the origin of a URL PMI.
  • Raise awareness that user agents may also increase the set of matching payment handlers based on payment method owner information.

This pull request is not more specific than that in order to make it easier to include this text in the CR draft. If there were support for being more explicit, I would be glad to mention two ways
that we are working on where payment method owners delegate authority: W3C-defined
payment method specs and Payment Method Manifest.

At this point, I have this algorithm in mind when looking at the question of matching
payment handlers from origins other then the origin of a PMI URL.

  • If the user agent does not find a payment method manifest, then it should not include
    payment handlers from origins other than the origin of the PMI URI.

  • If the user agent does find a payment method manifest, but it is broken in any way,
    then the user agent should not include payment handlers from origins other than
    the origin of the PMI URI.

  • Otherwise, the user agent authorizes payment handlers from other origins
    according to the payment method manifest spec.

@rsolomakhin has written a Payment Handler API pull request [2] that addresses
the origin / payment method manifest consideration for Web-based payment apps.
However, that algo might reasonably apply to native mobile apps. Thus, it feels
to me like it belongs in PR API, but I am not proposing that it be included at this time
due to CR timing considerations.

Ian

[1] https://www.w3.org/2017/08/10-wpwg-minutes
[2] w3c/payment-handler#197

Preview | Diff

marcoscaceres
marcoscaceres approved these changes Aug 11, 2017
View reviewed changes
Copy link
Member

@marcoscaceres marcoscaceres left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved with my small changes (don't use RFC2119 keywords in non-normative sections, please).

Fixed xrefs and tidy'd also.

@ianbjacobs
Copy link
Collaborator Author

Thank you, @marcoscaceres

@marcoscaceres marcoscaceres merged commit a9c6a1f into gh-pages Aug 11, 2017
@marcoscaceres marcoscaceres deleted the payment_app_sec branch January 17, 2018 04:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@marcoscaceres marcoscaceres marcoscaceres approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@ianbjacobs @marcoscaceres