Contact emails
jinho...@samsung.com, rou...@chromium.org, anth...@chromium.org, goge...@chromium.org, zk...@chromium.org, durga...@chromium.org
Spec
The current iteration of the spec is at https://w3c.github.io/payment-handler/, but we would like to ship with the pull request for CanMakePaymentEvent (corresponding WPT pull request) and the pull request for removing requestPermission. These pull requests are unlikely to change, but in the worst case scenario we can turn off this feature before it hits stable if there are disagreements.
Summary
The Payment Handler API enables development of payment apps in web standard ways (e.g., service worker).
Link to “Intent to Implement” blink-dev discussion
https://groups.google.com/a/chromium.org/d/msg/blink-dev/2ojnMk_T9_c/h7QfIhTeCAAJ
Is this feature supported on all six Blink platforms (Windows, Mac, Linux, Chrome OS, Android, and Android WebView)?
Yes.
Demo link
https://rsolomakhin.github.io/pr/apps/ (Enabled by default in Chrome Canary.)
Risks
Interoperability and Compatibility
Interoperability risk: low -- have web platform test suite, working together with Mozilla.
Compatibility risk: none -- this is a new API.
Edge: No signals
Firefox: Participating
Safari: No signals
Web developers: Positive
Ergonomics
Payment Handler API is used in tandem with Service Worker, Payment Method Manifest, and Payment Request.
Activation
It should not be challenging for developers to take advantage of this feature immediately as-is.
Is this feature fully tested by web-platform-tests? Link to test suite results from wpt.fyi.
https://w3c-test.org/payment-handler/
https://wpt.fyi/payment-handler
Entry on the feature dashboard
https://www.chromestatus.com/feature/5160285237149696
Hi All, Just a heads up that Mozilla folks are drafting a response to this intent to ship with a couple of concerns for us to discuss. Will post it soon!
Dear Blink-Dev Friends, Mozilla would respectfully request that you reconsider shipping the Payment Handler API (or consider continuing to ship it behind a flag). As active participants in the Payment Handler work, we have several serious concerns with the Payment Handler API that we would like to discuss.
Of primary concern is the maturity of the specification. Although work on this specification has been ongoing since 2016, it has received relatively little attention when compared to the Payment Request API. Although those implementing at Google and Samsung have been reporting back with great implementation experience, Mozilla has not yet had a chance to evaluate implementability in our own browser. As this API deals with extremely important credentials (monetary instruments), we feel that we need to have a complete model for how this API interfaces with credential management, storage, and permissions. Discussions around these topics are ongoing as part of the standards setting process, but we don't feel that we have adequate answers yet to how everything will work together.
Secondly, the API has received relatively little review and quality assurance. Although a TAG review has been requested, it’s not yet taken place [0]. Additionally, as part of the process to assure the quality of the specification, Mozilla and Google have been coordinating closely on the web platform tests. However, thus far, together, we've only landed the absolute minimum: only the IDL definitions [1]. We still lack tests for all methods, the algorithms written in prose, and for attacking the state machine.
We'd like to emphasize the seriousness of the lack of tests: with the Payment Request API, our combined testing efforts not only greatly improved the quality of the specification, but it also managed to expose potential security vulnerabilities in the spec's state machine, and managed to crash multiple browsers, not just a child/tab process, with very simple attacks - things that we exposed and fixed together to the benefit of all constituents.
Thirdly, the Payment Request API, on which the Payment Handler API relies, is not yet meeting the needs of implementers - particularly requests from the WebKit team - and important partners like Stripe, on which merchants deploying this technology at scale will rely. We currently have 19 outstanding issues to close that implementers and merchants have agreed are critical to get us past "CR" - that is, to have something that adequately addresses real world use cases that allow people to buy things (not just W3C process stuff!). As such, we would encourage Google folks to continue to help us close those issues first, and help us and ship the necessary API changes being requested (there are quite a few and they range quite a bit in complexity). Over the next year, we should expect to see wider adoption and use of the API and and thus receive more real world feedback from those attempting to deploy the Payment Request API at scale.
Lastly, we are concerned by the lack of support from other implementers for the Payment Handler API. Both Microsoft and Apple are not participating in the work at this moment in time. We can't speak for their rationale for not participating. We are concerned at seeing Google moving on their own to ship this API. What made Payment Request API such a great success was that we had all engines onboard: Google, Microsoft, Apple, and Mozilla are all-in with implementing - and we expect all browsers to have fully interoperable implementations by the end of 2018. That's not the case with the Payment Handler API right now. Mozilla definitely wants to implement this API, but we just don't feel the specification is at a point where we can commit to that.
Let us be clear: At Mozilla, we understand how absolutely critical the Payment Handler API is to modernizing and opening up payments on the Web. It's the reason why, although we are not implementing the specification at this moment in time, we continue to fully participate in all aspects of the standards settings process. That is, from helping with editing, joining voice calls, working together on web platform tests for the spec, and doing as much as we can to push this specification forward. However, shipping this API prematurely risks us having significant interoperability issues in the future - or worse, having to standardize unintentional bugs due to premature adoption by sites in the wild.
Thanks for hearing us out, and we sincerely hope you will consider our feedback. We look forward to continuing to collaborate on Payment Handler together.
[0] https://github.com/w3ctag/design-reviews/issues/231
[1] https://github.com/w3c/web-platform-tests/tree/master/payment-handler
[2] https://github.com/w3c/payment-request/issues?q=is%3Aissue+is%3Aopen+label%3ACR-Exit
You received this message because you are subscribed to the Google Groups "blink-dev" group.--
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/75a32c57-1b53-4f2c-8ac8-309e716124e6%40chromium.org.
Is this API shipping with a new permission as described in the spec? I ask because I discussed this payment flow with Zach a couple weeks ago (or at least, I think it was this spec, maybe it was something else?) and we both felt that it would be difficult to make a permission prompt that was understandable to users. There were also a number of tricky questions about how to display the payment handler app and I think the spec should document those concerns (non-normatively?) in Section 7 or 8.
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/2815ff86-603b-42d0-8ffa-a3597f38fb05%40chromium.org.
Rouslan, do we have other kinds of tests for this, brower_tests or something? What would it take to share virtually all of the tests that we have with WPT, what's missing infra-wise?
When the payment sheet is shown, please authorize the mock payment.
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/71a8dd25-a0b7-4908-9ec4-95f0f26addc9%40chromium.org.
Hi all -
Sorry for the radio silence over the past few weeks. We've been chatting as a team, getting clearer on our permission story (or lack of one for that matter), and a few other housekeeping items. Let me try and summarize where we're at and address as many of the points as I can.
* I fully acknowledge many of the points that Marcos and team are raising. But I would also remind folks that all of these held true when we originally shipped PaymentRequest as well. We made a judgement call that, even in light of the risk of possible breaking changes, it was important to get the API out in the wild sooner rather than later. And because of a variety of factors for how checkout flows work, doing that within the confines of "safer" routes such as Origin Trials was not possible. Looking back, that was the right call to make, as I'm not sure we'd be having this conversation if it wasn't.
* The further reality is that we're at a critical juncture here. For the most part, the third party ecosystem supported by PaymentRequest is extremely limited, available only to Android apps in Chrome. This limits both our ability to scale and support the needs of millions of merchants worldwide for whom "basic-card" is insufficient as a payment method. In addition, the viability of “basic-card” continues to be diminished by changes in the payments industry that are only solved by Payment Handlers (e.g., 3DS 2.0, tokenization, etc). We announced publicly at I/O last year that we were working with some major payment providers, such as PayPal, to continue growing this ecosystem. These partners are working with us, but they will not wait for months to make progress. We need to be able to get this into production.
* In addition to the previous point, the set of players that would be implementing Payment Handlers is quite small, especially at the beginning. Unlike, for example, a Storage API that would be useful to nearly all developers, Payment Handlers only target a very small subset of companies (i.e., payment providers). This makes outreach in the event of breaking changes much simpler. Furthermore, the early partners we're working with know this is a new API and the potential risks of breaking changes. I think the Chrome teams' willingness to make core changes to the PaymentRequest API over the past year and a half is evidence of the fact that we're serious about making changes when they are necessary.
* We'll of course continue to support the efforts around PaymentRequest. Quite a few of us will be in Singapore in a couple of weeks for the face-to-face to engage on discussions around PaymentRequest, Payment Handlers, 3DS, Tokenization, and other topics. The payments system is complicated, and we're committed to pursuing these efforts in parallel to try and move forward an open and successful web payments ecosystem. We understand that not all teams are capable of that, so we're happy to help in whatever way we can to de-risk this.
* Lastly, just to clarify, we do not plan on having any permission prompts for this initial rollout. We’ll learn quickly if this is the wrong call and bring that experience back to the working group to inform the spec.
Thanks,
Zach
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOsZg64VrtZKKNQLrjga8JXg3mrQNzRBc9GsxU2kxCEcGrpd%2Bw%40mail.gmail.com.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAFUtAY-cuJL-q%2B5r0T4v6E6Nbvs-7bg1ZYDzJP1ra9cq-KQe5Q%40mail.gmail.com.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOMQ%2Bw-Lnd8JOpMvHxFRQvM6nSY3FkSkyPCkeiQDafN6M9U%2Bcw%40mail.gmail.com.