W3C home > Mailing lists > Public > public-payments-wg@w3.org > May 2016

Re: User Consent and Addresses

From: Adrian Hope-Bailie <adrian@hopebailie.com>
Date: Wed, 11 May 2016 10:40:21 +0200
Message-ID: <CA+eFz_Jk0LJQjmt5PQTu8z3O6jMm9EP7Dk9Z+4B6PzhbSAfOMQ@mail.gmail.com>
To: Tommy Thorsen <tommyt@opera.com>
Cc: Adam Roach <abr@mozilla.com>, Dave Longley <dlongley@digitalbazaar.com>, Ian Jacobs <ij@w3.org>, Adrian Bateman <adrianba@microsoft.com>, Web Payments Working Group <public-payments-wg@w3.org>

> Web Page ---PaymentRequest---> Payment Mediator
> ---SerializedPaymentRequest---> Payment App
> Web Page <---onshippingaddresschange--- Payment Mediator
> Web Page <---PaymentResponse--- Payment Mediator
> <---SerializedPaymentResponse--- Payment App
Actually this is not the flow.

The data collection steps (shippingaddresschange events and handling of
these) must be done before the request is passed to the payment app.

The assumption is that once the request is passed to the payment app the
final amount is known.

This is why the data collection is done through the same (or prior) user
interface as the payment app selection.

I believe that Adam's point is that when the user is capturing data into
that UI it is not clear to the user that that data is being passed back to
the website before the user even selects a payment app.

Put differently, if the user selects their shipping address and then
cancels the payment before even selecting a payment app they have already
given the website their shipping address.

> I see why the onshippingaddresschange is needed (for updating the Payment
> Request when the shipping address changes), but it feels a bit messy with
> the two different ways of passing the shipping address back. We could solve
> that by only letting the Payment Mediator supply shipping address, and then
> only through the onshippingaddresschange mechanism. That means we remove
> the shippingAddress field from the PaymentResponse and as a result also
> remove the Payment App's ability to supply the shipping address. This would
> be a lot cleaner, and a lot easier to both specify and implement.

Matt Saxon raised a similar point in last week's call. There is a risk that
if both the website and the payment app need to collect the same data (eg:
email address, if the website wants to email a receipt and if the payment
app uses this to authenticate the user) then we make the user experience
worse, not better.

> On Tue, May 10, 2016 at 4:36 PM, Adam Roach <abr@mozilla.com> wrote:
>> On 5/10/16 09:15, Tommy Thorsen wrote:
>> I'm referring to the "Payment Apps" and the "HTTP API" spec proposals
>> here:
>> http://w3c.github.io/webpayments-http-api/#generating-a-payment-response
>> https://w3c.github.io/webpayments/proposals/paymentapps/payment-apps.html#submitting-the-paymentrequest-to-the-payment-app
>> Both of these propose to pass the payment request to the payment app by
>> using an HTTP POST.
>> Sure, but those POST requests come from the payment mediator, not the
>> merchant site. I understand the proposal to look like:
>> Web Page <---PaymentRequest---> Payment Mediator <---POST---> Payment App
>> The event is used by PaymentRequest, and the shippingAddress field is
>> used in the POST response. Right?
>> --
>> Adam Roach
>> Principal Platform Engineer
>> Office of the CTO
Received on Wednesday, 11 May 2016 08:40:50 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 11 May 2016 08:40:51 UTC