The Payment Handler API allows web applications to register themselves as
capable of "handling payments". That is, they can handle payment requests
coming from the Payment Request API. Traditionally, handling payment
requests has been limited to OS specific payment handlers, and only to
particular browsers (Apple Pay on Safari, Google Pay for Chrome, for
instance). This new API has the potential to disrupt the payments
ecosystems, while also providing some much needed security to prevent
credit card fraud in the payments space.
Platform coverage: Desktop initially, Android later.
Preference: dom.payments.handler.enabled (plus potentially others at
DevTools bug: none yet. We're still working out the details of what we
might actually want.
* Chrome shipped since version 68
Secure contexts: Yes
Is this feature enabled by default in sandboxed iframes?
No. We are thinking that it's only available to top-level browsing
contexts, otherwise controlled by permission policy.
Link to standards-positions discussion:
How stable is the spec: some parts are stable (e.g., some of the events) …
other parts, not so much (e.g., payment instruments database).
Security & Privacy Concerns: a bunch of ongoing work is happening in this
space together with our colleagues at Google, as well as with the financial
industry at large. We hope that to see all that work reflected back in the
spec as we do our prototyping and find issues.