- From: ianbjacobs <notifications@github.com>
- Date: Tue, 24 Jan 2017 20:05:12 -0800
- To: w3c/webpayments-payment-apps-api <webpayments-payment-apps-api@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <w3c/webpayments-payment-apps-api/issues/96/275013717@github.com>
Hi @marcoscaceres, Thanks for the code! First, bank.com is doing the evaluation of the merchant filter. That is consistent with what we've sought. Second, it seems that the browser is giving bank.com's service worker only the data associated with the payment method(s) supported by bank.com. That's also consistent with what we've sought. However, it suggests that a subset of methodData is given to the payment app, and I had the impression from another discussion you did not want to do that. Perhaps I have misunderstood one suggestion or the other. But our current preference is for the browser to give the service worker only that information relevant for the payment methods it supports. When we first started talking about service worker handling of filters, people observed the following: * The general flow works like this: the merchant calls payment request API, the browser determines which payment apps match the accepted payment methods, the browser displays the matching ones, the user selects one, and only at that moment does the payment app gets the payment request data. * In your proposal, the flow works like this: the merchant calls payment request API, the browser determines which payment apps match the accepted payment methods, then the browser sends those payment apps the filter data for those payment apps and the payment app evaluates the filter, the browser displays the matching ones (taking into account the responses from the payment apps), the user selects one, and then the selected payment app gets the rest of the payment request data. Thus, your proposal reveals information about the transaction to all payment apps with matching payment methods, before any one of those payment apps has been selected by the user. People expressed privacy concerns with this approach. That's why we pursued a design where the payment app registers a function that the browser can evaluate outside of the payment app's knowledge. I hope that sheds light on how we ended up with what we have. I look forward to more discussion to work through this, Ian -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/w3c/webpayments-payment-apps-api/issues/96#issuecomment-275013717
Received on Wednesday, 25 January 2017 04:06:09 UTC