Re: [w3c/webpayments-payment-apps-api] Payment apps and methods, are they the same? (#35)

> A payment app may live in https://bobpay.xyz/sw.js and may be described in https://bobpay.xyz/payment-app.json. The JSON file should contain the app's title and icons at the very least. This is also a good place to specify a list of all payment methods that this app supports.
> 
> A payment method may be defined in https://bobpay.xyz/payment-method.json. This JSON file should describe who is allowed to use this payment method. This can be either unrestricted or a whitelist of payment app identifiers, i.e., URLs.
> 
> Thus we have both a payment app and a payment method identified by https://bobpay.xyz.

I don't like this model of fixed names for the manifests at all. This feels like the favicon debacle all over again. If you want to identify a payment method use the actual URL where the manifest file is not an origin that then gets converted into a URL by some magic formula.

If we used this model how could a single origin define multiple payment methods or apps?

If there is a desire to specify which origins can publish apps for a method then that can be the format for a specific property in the payment method manifest eg: `allowed_app_origins : ["https://bobpay.xyz"]` but the manifest can also specify specific apps eg: `allowed_apps: ["https://bobpay.xyz/payment-app.manifest"]` or even inline:

```json
//Allow any apps from bobpay.xyz origin
allowed_app_origins : ["https://bobpay.xyz"],
//Also allow this specific app from alicepay.xyz
allowed_apps : [{
    "short_name": "AlicePay",
    "icons": [],
    "payment_methods": ["https://alicepay.xyz/method"],
    "service_worker": "/app/sw.js"
  }]
```

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/webpayments-payment-apps-api/issues/35#issuecomment-246298610