- From: Adrian Hope-Bailie <notifications@github.com>
- Date: Fri, 11 Dec 2015 04:57:52 -0800
- To: w3c/webpayments <webpayments@noreply.github.com>
- Cc: webpayments <public-payments-wg@w3.org>
- Message-ID: <w3c/webpayments/issues/28/163931090@github.com>
The job of the payment mediator is to create a distinct separation between the website and payment app so that all comms between them is passed through the mediator who is able to do what is best for the user both in terms of privacy protection and security. > Ideally, payment applications should not even be able to reveal that they're installed until the user selects them. :+1: - I'd go one further and say there is no reason that a payment app ever has to reveal that it is installed to the calling website. The response that the website gets to a payment request is formatted according to the specifications of the payment method in use. If this is a generic method that is supported by many apps the website shouldn't be able to infer which app is being used at all. _What follows is a copy of my response to your comment at: https://github.com/WICG/paymentrequest/issues/30#issuecomment-163905421_ >This is all with one caveat. It will be very valuable for a website to check if its own payment app is installed. This would be enforced by the UA which knows the origin of the app publisher and only supports the use of this API function if the origin of the current browsing context is the same. Merchants and PSPs that publish apps to facilitate custom payment methods that incorporate features such as loyalty programs or coupons will need a way to tailor the user experience prior to issuing the payment request so they can encourage customers to login (so they can customize the payment request) or install the merchant's payment app. @burdges: > In particular, the payment applications should never learn that the user has visited a page selecting payment until the user selects that particular payment applications, as payment applications might have network access themselves. :+1: - Invoking the payment application is up to the payment mediator and should only be done after the user has selected the app they wish to use. I'd go further and say that the mediator should trim the payment request of any data that is not relevant for the payment methods that the app supports. Unless a payment method specifies a way that this is passed in a payment request it's unlikely that the payment will ever know what the calling website is. --- Reply to this email directly or view it on GitHub: https://github.com/w3c/webpayments/issues/28#issuecomment-163931090
Received on Friday, 11 December 2015 12:58:30 UTC