Re: [w3c/payment-handler] Add CanMakePaymentEvent and AbortPaymentEvent. (#170) from Jinho Bang on 2017-08-30 (public-webpayments-specs@w3.org from August 2017)

From: Jinho Bang <notifications@github.com>
Date: Wed, 30 Aug 2017 07:35:04 -0700
To: w3c/payment-handler <payment-handler@noreply.github.com>
Cc: webpayments-specs <public-webpayments-specs@w3.org>, Comment <comment@noreply.github.com>
Message-ID: <w3c/payment-handler/pull/170/c326010196@github.com>

Hi all,

I tried to understand your discussion but I didn't understand fully due to my lack of insight.

If my understanding is correct, the problem is that CanMakePayment event can be triggered with no user interaction. For example, once a user registers a payment handler provided by bobpay.com, calling canMakePayment() on the merchant site will trigger CanMakePayment event to the SW provided by bobpay.com with no user interaction. At that time, bobpay.com might get information that the user has purchased something.

However, I thought that we already have requestPermission() for it. We can add a permission check before CanMakePayment event is triggered. (Rouslan's PR is not represented yet but we can add them.)

Perhaps you might think that a complicated UX flow should be added to check for additional permissions. But we already ask a user before registering a payment handler. So, I think we can recycle existing UX and ask whether allowing CanMakePayment event together.

For example, including a permission for receiving CanMakePayment event.
```
Do you want to register a new payment handler provided by bobpay.com?
You need to allow the following permissions:
- canmakepayment event (blah blah)
- paymentrequest event (blah blah)
```

In case of no CanMakePayment event,
```
Do you want to register a new payment handler provided by bobpay.com?
You need to allow the following permissions:
- paymentrequest event (blah blah)
```

I think this is very similar to push notification feature. Once a user allows a permission to receive push event for some origin, the site can trigger push events at anytime. So, we can write a polyfill for CanMakePayment event using push notification feature. It might mean that CanMakePayment's privacy risk is not significantly different from PushNotification's privacy risk.

WDYT?

--
You are receiving this because you commented.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/payment-handler/pull/170#issuecomment-326010196

Received on Wednesday, 30 August 2017 14:35:30 UTC