Re: [w3c/payment-request] WIP - very rough sketch of requestShippingAddress() method (#873) from Danyao Wang on 2019-09-13 (public-webpayments-specs@w3.org from September 2019)

From: Danyao Wang <notifications@github.com>
Date: Fri, 13 Sep 2019 08:59:30 -0700
To: w3c/payment-request <payment-request@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3c/payment-request/pull/873/c531294390@github.com>

@samuelweiler I incorporated your comments:

- Added a note in Section 10 to discourage the use of the boolean and encourage the use of the new `requestShippingAddress()` method. Also noting potential future deprecation of the boolean.
- Added similar note to Section 18.4.2
- Added the detailed algorithm to Section 18.4.2 to highlight now the incremental request interact with the concept of redactList.

I didn't add a note to the Security Considerations in Section 20.7 because that section currently focuses on non-normative recommendations to payment handler implementer to not over share user information (especially billing address) via `PaymentMethodChangeEvent`. I considered expanding it to highlight the user agent's responsibility to not over share shipping address in `PaymentRequestUpdateEvent`, but I felt it's redundant with the normative requirements encoded in the algorithm in 18.4.2. I also considered adding a non-normative note to compel the payee to use `requestShippingAddress()`, but that also seems redundant with the other notes in Section 10 and 18.4.2.

Would you mind taking another look? @marcoscaceres @ianbjacobs @aestes PTAL as well.

Also, as I was writing up the algorithm, I realize that the UX implementation may be tricky and would like to hear what others think. Say a payee initially requests "country", then request "region", should the user agent prompt the user for permission each time? This could be annoying. Should the user agent ask for a blanket permission upfront, e.g. "your shipping information will be shared"? But this is a bit misleading because user perceives more information is being shared than what the payee is actually asking for.

Currently this is only a problem for user agents with built-in payment methods (e.g. ApplePay in Safari and basic-card in Chrome). Soon, payment handlers will face this problem as well when they start to support delegated shipping and contact information (https://github.com/w3c/payment-handler/issues/337).

--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/payment-request/pull/873#issuecomment-531294390

Received on Friday, 13 September 2019 15:59:52 UTC