Re: [paymentrequest] Should the Payment Request API only be available in a top-level browsing context? (#30) from Adrian Hope-Bailie on 2015-12-11 (public-payments-wg@w3.org from December 2015)

From: Adrian Hope-Bailie <notifications@github.com>
Date: Fri, 11 Dec 2015 05:09:31 -0800
To: WICG/paymentrequest <paymentrequest@noreply.github.com>
Cc: webpayments <public-payments-wg@w3.org>
Message-ID: <WICG/paymentrequest/issues/30/163933084@github.com>

There is a prominent use case that would require third-parties to be able to call the API (with explicit permission from the top-level context). That is the case of merchants (the top-level context) who offload their processing to third-party PSPs (sub-context) without doing a complete redirect of the user's browser to the PSP's website. @mattsaxon and @mountainhippo can provide some more detail I'm sure.

i.e. We DO need a mechanism for the top-level website to provide explicit permission to 3rd parties to call the API.

I would recommend that we get some thoughts from WebAppSec on this. cc @hillbrad

> In fact, even the top-level context should not be able to learn what payment instruments the user supports before the user selects the appropriate one, which requires a secure context that cannot contact the merchant, but maybe that discussion belongs in anther issue.

:+1: the calling website learns nothing about the status of the request until the user has selected a payment app and the app has returned a response. It's even possible that the website never knows what app was used if the payment method response is standardized and that is all that's returned.

This is all with one caveat. It will be very valuable for a website to check if its *own* payment app is installed. This would be enforced by the UA which knows the origin of the app publisher and only supports the use of this API function if the origin of the current browsing context is the same. Merchants and PSPs that publish apps to facilitate custom payment methods that incorporate features such as loyalty programs or coupons will need a way to tailor the user experience prior to issuing the payment request so they can encourage customers to login (so they can customize the payment request) or install the merchant's payment app.

@burdges - This is related to your comment here too: https://github.com/w3c/webpayments/issues/28#issuecomment-163893044

---
Reply to this email directly or view it on GitHub:
https://github.com/WICG/paymentrequest/issues/30#issuecomment-163933084

Received on Friday, 11 December 2015 13:10:12 UTC