Re: [webpayments] How are payment instruments registered? (#14) from Adrian Hope-Bailie on 2015-12-09 (public-payments-wg@w3.org from December 2015)

From: Adrian Hope-Bailie <notifications@github.com>
Date: Wed, 09 Dec 2015 02:56:38 -0800
To: w3c/webpayments <webpayments@noreply.github.com>
Message-ID: <w3c/webpayments/issues/14/163188290@github.com>

> their self-description (in manifest form for example) must provide enough information for user agents to retrieve and automatically install the software necessary to make use of them from the Web.

+1 - in terms of what we standardize.

We should specify a mechanism for payment apps to be registered via the browser API as a minimum and then expect platform vendors to offer other ways to achieve the same outcome as they see fit (installed as an app on mobile, as a browser extension on desktop etc).

This may be as simple as:
```javascript
navigator.payments.registerPaymentApp({
"id" : "https://xyzbank.com/app/"
"label" : "XYZ Bank",
"icon" : "https://xyzbank.com/icons/app.png",
"supportedPaymentMethods" : ["https://visa.com/debit/v2", "https://bitcoin.org"],
"endpoint" : "https://xyzbank.com/app/"
});
```

I'd expect the payment mediator to also record what origin this app was installed from and block installation if the endpoint is not at the same origin. Further, I'd expect the payment mediator to offer a way for the app to update the set of supported payment methods over time.

An additional feature I'd like to see is an API like the following that allows app publishers to probe if their app is installed:
```javascript
navigator.payments.isPaymentAppInstalled({"https://xyzbank.com/app/"});
```
This API would only ever return true if the call is made from the same origin as the that which registered the app.

If the app was registered through an alternative mechanism then it should be able to specify it's origin. (I believe app stores have ways of doing this on mobile platforms. i.e. tying apps to an origin.)

Manifests are one way to facilitate this but they shouldn't be the only one as this seems to imply a single origin can only ever publish a single payment app.

I would also prefer the registration of a payment app to be an explicit request from the publisher via the API than something a user may stumble into because they visited the site and it's manifest specifies it has a payment app.

---
Reply to this email directly or view it on GitHub:
https://github.com/w3c/webpayments/issues/14#issuecomment-163188290

Received on Wednesday, 9 December 2015 10:57:10 UTC