feat: rewrite all the things

[marcoscaceres]

• Removed wording about overloading identifiers (closes Reference manifest spec #33)
• Defined "standardized payment method identifier" (closes "W3C String" is overly generic #32)
• Cited URL standard (closes citation to dated version of since-abandoned url spec fork is unusual #30)
• Dropped dependency on [SECURE-CONTEXTS] (closes [SECURE-CONTEXTS] should be a normative rather than informative reference #29)
• defined "Standardized Payment Method Identifiers" (closes Payment Method Identifier needs dfn #23)
• Removed circular dependency (closes Circular dependency between PMI and PR specs #22)
• Added proper URL parsing and specific validation with error (closes Identifier equivalence does not handle failure #8 Check what happens if URL parsing throws.... #27 use of 'must' in section on Syntax of URLs as Payment Method Identifiers is suspicious #28)
• Added Security considerations sections (closes Add Security Considerations and Privacy Considerations sections #7)
• Added Marcos as editor + cleans up respecConfig
• Removes "Conditional Matching Beyond Payment Methods" (closes Remove "Conditional Matching Beyond Payment Method Identifier Matching" #34)

---

Preview | Diff

[marcoscaceres]

@annevk, just a 👍 if this is ok with you.

[annevk]

Depends, are these URLs exposed to users? Which parts of the URL are exposed to users?

[marcoscaceres]

They are never exposed to the user, presumedly (but I couldn't be 100% sure it would never happen - but people do crazy things). I was going to make a note of that.

[annevk]

If they're not exposed than most of the security considerations don't really apply I think. What did you think would apply?

[marcoscaceres]

Like you said, if they were ever displayed then I was concerned the considerations would apply. I'll just say that.

[ianbjacobs]

s/individual/individually

[annevk]

Just make the If statement a new step. url would be failure in that case.

[annevk]

"If url is failure, then throw a TypeError."

[annevk]

"If url's scheme ..."

[annevk]

Again, need to specify where the query and fragment come from.

[annevk]

Shouldn't this reference the URL parser again?

[marcoscaceres]

<a>parse</a> links to URL Parser. Is that what you mean? I can be more clear.

[annevk]

Okay. You used "URL parser" as well earlier. Seems weird to use different referencing terms within the same document.

[marcoscaceres]

Yeah, I see what you mean. I'll mirror more what you have in the URL spec.

[annevk]

This seems wrong since validate takes strings, not URLs.

[marcoscaceres]

Ah, good point.

[annevk]

"If url is failure"

[annevk]

Different exception really necessary? You'll have to write some tests to make sure it's thrown before a non-null query...

[marcoscaceres]

Ok, will just use TypeError here too.

[marcoscaceres]

(also noted about the test order)

[annevk]

I was hoping you'd abstract validate a bit somehow instead. Parse -> serialize -> parse seems really hacky.

[annevk]

identifiers*

[annevk]

Surely you should know whether they ever are? This seems a little weird.

[marcoscaceres]

You are right. Can definitely write this "as the world is today" - where there are no known instances of these URLs being rendered. Will fix.

[annevk]

Note that "I was hoping you'd abstract validate a bit somehow instead. Parse -> serialize -> parse seems really hacky." got lost due to a commit. One of the downsides of not addressing all comments in a single commit.

[domenic]

Do you really want to allow about:blank, about:srcdoc, wss: URLs, file: URLs, etc.? (All are potentially trustworthy.)

Do you want to allow usernames or passwords in the URL?

What is wrong with queries?

We probably need to synchronize https://w3c.github.io/payment-method-manifest/#fetch-payment-method-manifests step 2 with this.

[marcoscaceres]

I'm still of the opinion that we should:

• restrict this to "https" (because Payment Manifest is the only serious consumer of the end points)
• Recommend "best practice" to developers to use paths and avoid query, fragments, username, and password.

That would mean that any URL with a https:// scheme is a valid PMI-URL - and would make everything super simple.

[domenic]

Path and query seem equivalent to me: if you allow one you should allow the other.

I don't think we want to add another resource to the platform hidden behind HTTP auth, so I'd suggest disallowing username and password.

[marcoscaceres]

Ok, let's ban username and password. @zkoch has opinions about query/path - but hopefully the above can convince him to allow query.

I'll make preemptive changes to match.

[zkoch]

Query strings just feel more complicated to me and much easier for developers to get wrong. The whole goal was to give us the flexibility of URLs (to enable things like method manifests) but also make it as tightly scoped as possible to prevent developer error.

There's a lot of discussion on this at #9

[marcoscaceres]

Thanks @zkoch for the pointer.

As Anne states at the end of #9, the overloading of this URL as an identifier AND a resource could become a real issue.

@domenic, crazy thought... but what if, to enable payment manifests, a developer instead had to serve the link relationship (instead of bobpay):

So, https://merchant.com/checkout:

Link: <https://bobpay.com/manifest>; rel="payment-method-manifest"; pmi="https://bobpay.com"
Link: <https://alicepay.com/pay-manifest>; rel="payment-method-manifest"; pmi="https://alicepay.com"

Then, so long as Link and referenced PMI are same origin, then "https://bobpay.com/manifest" can be fetched.

This also has the benefit of allowing prefetching of the manifests.

[marcoscaceres]

(Added additional Link: above, to show how you could have multiple payment methods.)

[ianbjacobs]

How does the developer know where the manifest file is?

This puts the burden on 1 million developers instead of 1 time on the origin. Or am I missing something?

Ian

[domenic]

I don't really understand the Link proposal. @zkoch, I think your feeling about queries is off-base. They are equivalent to paths (and indeed, some server software uses them instead of paths). If we want to disallow paths and queries, that's fine, but we should not disallow just queries.

[domenic]

Generally since you don't want to get access to the blob URL store you probably want to use the basic URL parser

[marcoscaceres]

I actually think we should drop this section entirely. To compare two PMI URLs, you need to have first gone through the validation steps to get urlA and urlB. If we make that an invariant, then URL spec's "equals" algorithm can just be used without needing any of this.

[domenic]

That sounds great to me; let's get rid of it.

The larger point about using the basic URL parser throughout this spec stands though.

[domenic]

This algorithm would be better operating on parsed URLs, not on strings. Most places that call it seem to serialize the parsed URL before calling it, which is pretty pointless since it's just going to parse it again.

[marcoscaceres]

This is currently not the case in the Payment Request spec. In the "Process payment methods:", I was going to call "validate" just before step 4.2.2:

Let serializedData be the result of JSON-serializing paymentMethod.data into a string, if the data member of paymentMethod is present, or null if it is not. Rethrow any exceptions.

I can call the URL Parser in the Payment Request spec (re-throwing any errors), and then pass the URL into validate.

[domenic]

I can try to take another look at the callers tomorrow. What I remember is that all the callers in this document had to go through parse+serialize+parse. But maybe taking URLs as input is better anyway, not sure yet.

[domenic]

OK, after removing the matching algorithm, I see your perspective. But, I think that it's still a better algorithm if it's more "strongly typed", i.e. operates on URLs.

I have a separate issue which is that I think it should return true or false, instead of returning true or throwing a TypeError. E.g. in the payment-method-manifest spec we aren't in a context where throwing makes sense, so we'd have to "catch" the exception, even though we're not even in a JavaScript context where exceptions are sensible to talk about.

[marcoscaceres]

Agree. I'll make the change to only return true/false and move the exception handling to the PR spec.

[domenic]

Probably only the first "W3C" should be linked

[domenic]

missing space; mismatched pluralness

[domenic]

/cc @annevk we should probably move this to Infra (no action item for now on this document though)

[domenic]

I'm not sure this is quite accurate, given the existence of https://w3c.github.io/payment-method-manifest/... It's not very clear in general, and it's not clear what it has to do with security considerations.

[marcoscaceres]

Does payment manifest somehow expose these URLs to end users?

FWIW, I don't mind removing this section in its entirety, or just stating: "There are no known privacy or security issues to be considered at this time. This is subject to change as this specification evolves." or something like that.

[domenic]

Won't end users end up seeing something like "Pay with https://android.google.com/pay"?

I'd be OK with removing it too.

[domenic]

Probably the first use of API in the document should get this treatment, not one middle-way through the document. Although IMO it's not necessary at all.

[ianbjacobs]

@domenic wrote:

Do you really want to allow about:blank, about:srcdoc, wss: URLs, file: URLs, etc.? (All are potentially trustworthy.)

I think the answer is "no." However, I wonder if there are some use cases for them (e.g., local testing of a payment method?) We've not really discussed those, and I think the intended use cases are for published payment method manifest files.

Do you want to allow usernames or passwords in the URL?

Again, I think the answer is "no" but there might be use cases we've not considered.

What is wrong with queries?

I don't recall the rationale exactly, but I think it had to do with simplicity.

These are good questions.

Ian

[marcoscaceres]

This is ready for final review.

[zkoch]

This seems a bit confusing to me at first read. All we're trying to say is "methods either match (great) or they don't (ignored)." It took me a bit to understand what this meant. Example might help?

[marcoscaceres]

Adding as a separate bug: #37

[zkoch]

Minor nit I commented on, otherwise LGTM