Re: User Consent and Addresses

On 10 May 2016 at 15:42, Ian Jacobs <ij@w3.org> wrote:

>
> > On May 10, 2016, at 8:29 AM, Adam Roach <abr@mozilla.com> wrote:
> >
> > On 5/10/16 08:16, Ian Jacobs wrote:
> >> Today if I type information (e.g., shipping address) in a form field,
> does that change the DOM and thus the merchant has access to the
> information immediately as well?
> >>
> >> I am wondering whether the behavior you describe for paymentRequest
> differs significantly from today’s form-based approach. (I say “I am
> wondering” because I think
> >> you have a better grasp than I do.)
> >>
> >
> > Yes, it certainly does have access. But there's a somewhat different
> mental model between "I entered data into merchant.com's web page, so
> merchant.com has access to it" and "I entered data into Bobpay's payment
> app, so merchant.com has access to it, even if I never submitted it.”
>
> Thank you for the clarification. I am hearing this:
>
>  1) I am interacting with merchant.com (browser-as-payment-app). This
> amounts to the form-fill case.
>

This is not correct. The browser renders a special "checkout UI" to the
user (during the process of selecting a payment app - not where the browser
is acting as the payment app) that displays the list items provided by the
website and also some data capture fields (if the website requested them).

When the user enters data into those fields events are fired that the
website can listen for that give the website the data that was captured.


>  2) I am interacting with bob’s payment app (third-party-payment-app).
> This is a new origin.


> Is that your observation? Do you think API behavior should differ in those
> two cases?
>
> Ian
>
> --
> Ian Jacobs <ij@w3.org>      http://www.w3.org/People/Jacobs
> Tel:                       +1 718 260 9447
>
>
>
>