- From: Adrian Hope-Bailie <adrian@hopebailie.com>
- Date: Wed, 16 Sep 2015 20:40:25 +0200
- To: Anders Rundgren <anders.rundgren.net@gmail.com>
- Cc: "public-webpayments-comments@w3.org" <public-webpayments-comments@w3.org>, Web Payments CG <public-webpayments@w3.org>
- Message-ID: <CA+eFz_KvZHDnyJbaX=TSVf0iKk9VySr-v8VHogLTnQLc5Y7kfA@mail.gmail.com>
On 16 September 2015 at 17:29, Anders Rundgren < anders.rundgren.net@gmail.com> wrote: > On 2015-09-16 17:18, Adrian Hope-Bailie wrote: > <snip> > > The security model required by Web wallets won't permit payment >> instrument >> enumeration so they have rather different characteristics compared to >> any >> form of local wallet. >> >> >> I'm not sure I understand this statement. I see no issue with a message >> > > object being POST'ed to a Web wallet's API endpoint? > > I guess you haven't tested my Wallet PoC? I have but that is not a Web wallet by your definition IIRC? > Anyway, a local wallet can without > security issues enumerate payment instruments/cards since the user is > assumed > to be authenticated to the device. > I'm still unsure what you mean by "enumerate payment instruments"? > > There's no similar function for Web wallets today, you must be > authenticated > to see what's inside which makes them less interoperable with other > wallets. > > I disagree. Here's one example of how this could work. I'm sure there will be other suggestions The payment initiation message contains information from the payee along the lines of "these are the ways you can pay me and this is what you need to pay". It is sent by the merchant website to the browser's payment API. If the browser is configured to use a Web-wallet it can POST that message to the Web-wallet API endpoint using whatever existing session information/cookies etc exist for the origin of the Web-wallet API. Let's assume that there is no existing session. The browser gets back a 403 (or whatever response we define as appropriate in the recommendation) with the necessary information to open a new window (pop-up or otherwise) at the appropriate URL to authenticate the user and complete the payment initiation process. Upon completion the wallet is expected to call some browser API with the payment initiation response that will be forwarded back to the original calling website. The recommended behavior for the browser is to close the wallet UI window (effectively a dialogue) and return the user focus back to the merchant website where the response is being returned and the flow continues under the control of that website. > Anders >
Received on Wednesday, 16 September 2015 18:40:55 UTC