Intent to Implement: Payment Request - Merchant Validation

[Danyao Wang]

Contact emails
dan...@chromium.org, rou...@chromium.org

Spec
https://w3c.github.io/payment-request/#merchantvalidationevent-interface

Summary
Merchant validation is the process by which a payment handler validates the identity of a merchant against some value (usually some cryptographic challenge response). Validated merchants are allowed to interface with a payment handler. The PaymentRequest's onmerchantvalidation event is invoked when the user agent requests merchant validation on behalf of a selected payment handler.

Example flow: https://github.com/w3c/payment-request/issues/646

Motivation

Merchant validation gives payment providers a mechanism to enforce their guidelines with merchants (e.g. no porn or weapons). Apple Pay and PayPal are two example payment methods that have this kind of authentication and validation mechanism. By standardizing this interface on Payment Request, it makes it easier for websites to interoperate with browser's builtin payment methods or 3rd party payment methods built using the Payment Handler API. This avoids divergent implementations of out-of-band validation mechanisms.

Interoperability risk
Firefox: shipped interface definition
Edge: No public signals
Safari: shipped
Web developers: Positive

Interop risk is low. The feature as currently specified is already shipped in Safari and used by Apple Pay. Firefox has shipped the interface definition that can be extended in the future for full support in payment handlers.

Compatibility risk
Low. This is a new feature for Payment Request API and Payment Handler API

Ongoing technical constraints
None.

Will this feature be supported on all six Blink platforms (Windows, Mac, Linux,
Chrome OS, Android, and Android WebView)?
No. Payment Request and its related APIs are not supported in Android WebView.

OWP launch tracking bug
http://crbug.com/867904

Link to entry on the Chrome Platform Status
https://www.chromestatus.com/features/5082085060509696

Requesting approval to ship?
No.

[Philip Jägenstedt]

FTR, this seems like a small-enough addition that additional TAG review is not warranted, especially given that it's already shipped in Safari.

It's curious that Firefox shipped the interfaces only, citing web compat. That should break feature detection, which isn't great. Is that a motivation for us as well, is there code out there assuming Apple Pay that breaks without the interfaces?

--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAErabb_-0fjSbe-WODtTMDO1%2ByaEv0N7bmSy6C89vRvtjKYH-g%40mail.gmail.com.

[Danyao Wang]

Hi Philip,

Our intention is to ship full support of the merchant validation flow, not just the interfaces. This involves adding an API in the Payment Handler spec to allow web-based payment handlers (e.g. Google Pay) to initiate merchant validation. Apple's experience shows that this is a useful feature for payment providers. We are following up with other payment providers to gauge interest too.

[Philip Jägenstedt]

That is as expected, thanks Danyao. What Firefox has done seems curious, perhaps +Marcos Caceres can shed light on why?

[mcac...@mozilla.com]

On 27 Feb 2019, at 06:29, Philip Jägenstedt <foo...@chromium.org> wrote:

That is as expected, thanks Danyao. What Firefox has done seems curious, perhaps +Marcos Caceres can shed light on why?

We implemented it for completeness, to validate the spec, and for conformance... but we haven’t shipped it (PR API is pref’ed off by default). 

I wanted to have it ready and fully tested in case we ended up needing it for Payment Handlers. 

[Philip Jägenstedt]

Ah, if it hasn't shipped then it doesn't matter, sorry for the noise :)