Re: [w3c/payment-request] Add hasEnrolledInstrument() (#833) from Marcos Cáceres on 2019-02-15 (public-webpayments-specs@w3.org from February 2019)

From: Marcos Cáceres <notifications@github.com>
Date: Fri, 15 Feb 2019 14:19:49 -0800
To: w3c/payment-request <payment-request@noreply.github.com>
Cc: webpayments-specs <public-webpayments-specs@w3.org>, Comment <comment@noreply.github.com>
Message-ID: <w3c/payment-request/pull/833/review/204453149@github.com>

marcoscaceres requested changes on this pull request.

Getting there... there is still a bit or repetition and some other little bits that I'd like to suggest we change. 

> @@ -5260,15 +5333,15 @@ <h2>
       </section>
       <section>
         <h2>
-          canMakePayment() protections
+          hasEnrolledInstrument() protections

```suggestion
          <code>hasEnrolledInstrument()</code> protections
```

> @@ -5260,15 +5333,15 @@ <h2>
       </section>
       <section>

```suggestion
       <section id="hasEnrolledInstrument-privacy">
```

>          </h2>
         <p data-link-for="PaymentRequest">
-          The <a>canMakePayment()</a> method enables the payee to call
-          <a>show()</a> if the user is ready to take advantage of the API, or
-          to fall back to a legacy checkout experience if not. Because this
-          method shares some information with the payee, user agents are
-          expected to protect the user from abuse of the method, for example,
-          by restricting the number or frequency of calls.
+          The <a>hasEnrolledInstrument()</a> method enables the payee to check

I'd suggest dropping the first sentence as it redefines what was already stated in the method's definition. Instead, just say something like: 

"The <a>hasEnrolledInstrument()</a> method has the potential to expose user information that could be abused for fingerprinting purposes. The API allows the user agent to restrict the number or frequency of calls to reduce the risk of fingerprinting. User agents MAY allow the user to control the response to <a>hasEnrolledInstrument()</a> via UI or provide their own means to protection (e.g., always returning with true)."

>          <p class="note">
-          The <a>canMakePayment()</a> method can be used by the developer to
-          determine if the <a>PaymentRequest</a> object can be used to make a
-          payment, before they call <a>show()</a>. It returns a <a>Promise</a>
-          that will be fulfilled with true if the <a>user agent</a> supports
-          any of the desired <a>payment methods</a> supplied to the
-          <a>PaymentRequest</a> constructor, and false if none are supported.
-          If the method is called too often, the user agent might instead
-          return <a>a promise rejected with</a> a "<a>NotAllowedError</a>"
-          <a>DOMException</a>, at its discretion.
+          The <a>hasEnrolledInstrument()</a> method can be used by the developer
+          to determine if the <a>user agent</a> not only has support for one of
+          the desired <a>payment methods</a> but is also "ready for payment" (

I'd suggest dropping everything after "but also..." and replacing it with:

"and if a <a>payment handler</a> has an instrument ready for payment. See <a href="#"hasEnrolledInstrument-privacy"><a> for privacy considerations."

And also drop the actual details (i.e., the "If the method is called too often..."). 

-- 
You are receiving this because you commented.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/payment-request/pull/833#pullrequestreview-204453149

Received on Friday, 15 February 2019 22:20:13 UTC