This specification defines capabilities that enable Web applications to
handle requests for payment.
Status of This Document
This section describes the status of this document at the time of its publication. Other documents may supersede this document. A list of current W3C publications and the latest revision of this technical report can be found in the W3C technical reports index at https://www.w3.org/TR/.
The Web Payments Working Group maintains a list of all bug
reports that the group has not yet addressed. This draft highlights
some of the pending issues that are still to be discussed in the
working group. No decision has been taken on the outcome of these
issues including whether they are valid. Pull requests with proposed
specification text for outstanding issues are strongly encouraged.
This document was published by the Web Payments Working Group as a
Working Draft.
This document is intended to become a W3C Recommendation.
GitHub Issues are preferred for
discussion of this specification.
Publication as a Working Draft does not imply endorsement by the
W3C Membership. This is a draft document and may be updated, replaced or
obsoleted by other documents at any time. It is inappropriate to cite this
document as other than work in progress.
This document was produced by a group
operating under the
W3C Patent Policy.
W3C maintains a
public list of any patent disclosures
made in connection with the deliverables of
the group; that page also includes
instructions for disclosing a patent. An individual who has actual
knowledge of a patent which the individual believes contains
Essential Claim(s)
must disclose the information in accordance with
section 6 of the W3C Patent Policy.
An extension to the service worker registration interface
(PaymentManager) to manage the definition, display, and user
selection of PaymentInstruments.
This specification does not address how software built with
operating-system specific mechanisms (i.e., "native apps") handle
payment requests.
2.
Overview of Handling Payment Requests
In this document we envision the following flow:
An origin requests permission from the user to handle payment
requests for a set of supported payment methods. For example, a user
visiting a retail or bank site may be prompted to register a payment
handler from that origin. The origin establishes the scope of the
permission but the origin's capabilities may evolve without requiring
additional user consent.
The method and
optional capabilities inform the user
agent decision whether to display this instrument as a candidate
for payment.
When the instrument matches what the payee accepts, the user
agent may display the name
and icon. These provide
hints about payment credentials that the user agent will return in
the PaymentHandlerResponse if the user selects this
instrument.
When the merchant (or other payee) calls the
[payment-request] method canMakePayment() or show()
(e.g., when the user pushes a button on a checkout page), the user
agent computes a list of candidate payment handlers, comparing the
payment methods accepted by the merchant with those supported by
registered payment handlers. For payment methods that support
additional filtering, either merchant and payment handler capabilities
are compared or CanMakePaymentEvent is used as part of
determining whether there is a match.
The user agent displays a set of choices to the user: the
registered instruments of
the candidate payment handlers. The user agent displays these choices
using information (labels and icons) provided at registration or
otherwise available from the Web app.
Once activated, the payment handler performs whatever steps are
necessary to handle the payment
request, and return an appropriate payment response to the
payee. If interaction with the user is necessary, the payment
handler can open a window for that purpose.
The user agent receives a response asynchronously once the payment
handler has finished handling the request. The response becomes the
PaymentResponse (of [payment-request]).
Note
An origin may implement a payment app with more than one service worker
and therefore multiple payment handlers may be registered per
origin. The handler that is invoked is determined by the selection made
by the user of a payment
instrument. The service worker which stored the payment instrument with its
PaymentManager
is the one that will be invoked.
2.1
Handling a Payment Request
This section is non-normative.
A payment handler is a Web application that can handle a
request for payment on behalf of the user.
The logic of a payment handler is driven by the payment methods that
it supports. Some payment methods, such as basic-card expect
little to no processing by the payment handler which simply returns
payment card details in the response. It is then the job of the payee
website to process the payment using the returned data as input.
In contrast, some payment methods, such as a crypto-currency payments
or bank originated credit transfers, require that the payment handler
initiate processing of the payment. In such cases the payment handler
will return a payment reference, endpoint URL or some other data that
the payee website can use to determine the outcome of the payment (as
opposed to processing the payment itself).
Handling a payment request may include numerous interactions: with
the user through a new window or other APIs (such as
[WebCryptoAPI]) or with other services and origins through web
requests or other means.
This specification does not address these activities that occur
between the payment handler accepting the PaymentRequestEvent
and the payment handler returning a response. All of these activities
which may be required to configure the payment handler and handle the
payment request, are left to the implementation of the payment
handler, including:
how the user establishes an account with an origin that provides
payment services.
how an origin authenticates a user.
how communication takes place between the payee server and the
payee Web application, or between a payment app origin and other
parties.
Thus, an origin will rely on many other Web technologies defined
elsewhere for lifecycle management, security, user authentication,
user interaction, and so on.
This specification does not address how third-party mobile payment
apps interact (through proprietary mechanisms) with user agents, or
how user agents themselves provide simple payment app functionality.
Figure 2
Payment Handler API enables Web apps to handle payments. Other
types of payment apps may use other (proprietary) mechanisms.
3.
Registration
One registers a payment handler with the user agent when assigning the
first PaymentInstrument to it through the set() method.
3.1
Extension to the ServiceWorkerRegistration interface
This specification extends the ServiceWorkerRegistration
interface with the addition of a paymentManager attribute.
The PaymentManager is used by payment handlers to
manage their associated instruments and supported payment methods.
3.2.1
instruments attribute
This attribute allows manipulation of payment instruments
associated with a service worker (and therefore its payment
handler). To be a candidate payment handler, a handler must have at
least one registered payment instrument to present to the user.
That instrument needs to match the payment methods and required
capabilities specified by the payment request.
3.2.2
userHint attribute
When displaying payment handler name and icon, the user agent may
use this string to improve the user experience. For example, a user
hint of "**** 1234" can remind the user that a particular card is
available through this payment handler. When a agent displays all
payment instruments available through a payment handler, it may
cause confusion to display the additional hint.
The PaymentInstruments interface represents a collection of
payment instruments, each uniquely identified by an
instrumentKey. The instrumentKey identifier
will be passed to the payment handler to indicate the
PaymentInstrument selected by the user, if any.
3.3.1
delete() method
When called, this method executes the following steps:
Let p be a new promise.
Return p and perform the remaining steps in
parallel:
If the collection contains a PaymentInstrument with a
matching instrumentKey, remove it from the collection
and resolve p with true.
Otherwise, resolve p with false.
3.3.2
get() method
When called, this method executes the following steps:
Let p be a new promise.
Return p and perform the remaining steps in
parallel:
The name member is a string that represents the label for
this PaymentInstrument as it is usually displayed to the
user.
icons member
The icons member is an array of image objects that can
serve as iconic representations of the payment instrument when
presented to the user for selection.
The capabilities member is a list of
payment-method-specific capabilities that this payment handler is
capable of supporting for this instrument. For example, for the
basic-card payment method, this object will consist of an
object with two fields: one for supportedNetworks, and
another for supportedTypes.
The src member is used to specify the ImageObject's
source. It is a URL from which the user agent can fetch the
image’s data.
sizes member
The sizes member is used to specify the
ImageObject's sizes. It follows the spec of sizes member
in HTML link element,
which is a string consisting of an unordered
set of unique space-separated tokens which are ASCII case-insensitive that
represents the dimensions of an image. Each keyword is either an
ASCII
case-insensitive match for the string "any", or a value that
consists of two valid non-negative integers that do not have a
leading U+0030 DIGIT ZERO (0) character and that are separated by
a single U+0078 LATIN SMALL LETTER X or U+0058 LATIN CAPITAL
LETTER X character. The keywords represent icon sizes in raw
pixels (as opposed to CSS pixels). When multiple image objects
are available, a user agent MAY use the value to decide which
icon is most suitable for a display context (and ignore any that
are inappropriate). The parsing steps for the sizes member
MUST follow the parsing
steps for HTML link element sizes attribute.
type member
The type member is used to specify the
ImageObject's MIME type. It is a hint as to the media type
of the image. The purpose of this member is to allow a user agent
to ignore images of media types it does not support.
3.3.9
Convert image objects
When this algorithm with inputImages parameter is
invoked, the user agent must run the following steps:
According to the step 2.3, it is also possible to use the relative
url for image.src. The
following examples illustrate how relative URL resolution works in
different execution contexts.
Example 1: Resolving the relative URL of image.src in window context.
Implementations may impose a timeout for developers to respond to the
CanMakePaymentEvent. If the timeout expires, then the
implementation will behave as if respondWith() was called with
false.
This example shows how to write a service worker that listens to the
CanMakePaymentEvent. When a CanMakePaymentEvent is
received, the service worker always returns true.
Otherwise, if supported origins in
paymentMethodManifest is an ordered set of origins
that contains the paymentHandlerOrigin, fire the
CanMakePaymentEvent in the payment handler and return the
result.
Otherwise, return false.
4.5.1
How to specify capabilities
This section is non-normative.
Example of how a payment handler should provide the list of all its
active cards to the browser.
In this case, new PaymentRequest([{supportedMethods:
"basic-card"}], shoppingCart).canMakePayment() should return
true because there's an active card in the payment
handler. Note that new PaymentRequest([{supportedMethods:
"basic-card", data: {supportedTypes: ["debit"]}}],
shoppingCart).canMakePayment() would return
false because of mismatch in
supportedTypes in this example.
Issue 117: Support for Abort() being delegated to Payment Handler
Payment Request API supports delegation of responsibility to manage an
abort to a payment app. There is a proposal to add a
paymentRequestAborted event to the Payment Handler interface. The event
will have a respondWith method that takes a boolean parameter
indicating if the paymentRequest has been successfully aborted.
The PaymentMethodChangeResponse contains the updated
total (optionally with modifiers) and possible errors resulting from
user selection of a payment method within a payment handler.
A human readable string that explains why the payment method cannot
be used.
5.2.2
total member
Updated total based on the changed payment method. The total can
change, for example, because the billing address of the payment
method selected by the user changes the Value Added Tax (VAT).
5.2.3
modifiers member
Updated modifiers based on the changed payment method. For example,
if the overall total has increased by €1.00 based on the billing
address, then the totals specified in each of the modifiers should
also increase by €1.00.
5.2.4
paymentMethodErrors member
Validation errors for the payment method, if any.
5.3
The PaymentRequestEvent
The PaymentRequestEvent represents the data and methods available to
a Payment Handler after selection by the user. The user agent
communicates a subset of data available from the
PaymentRequest to the Payment Handler.
Returns a string that indicates the origin where a
PaymentRequest was initialized. When a PaymentRequest
is initialized in the topOrigin, the attributes have the
same value, otherwise the attributes have different values. For
example, when a PaymentRequest is initialized within an
iframe from an origin other than topOrigin, the value of
this attribute is the origin of the iframe. This attribute is
initialized by Handling a PaymentRequestEvent.
This sequence of PaymentDetailsModifier dictionaries
contains modifiers for particular payment method identifiers (e.g.,
if the payment amount or currency type varies based on a
per-payment-method basis). It is populated from the
PaymentRequest using the Modifiers Population
Algorithm defined below.
This method is used by the payment handler to show a window to the
user. When called, it runs the open window algorithm.
5.3.10
changePaymentMethod()
method
This method is used by the payment handler to get updated total
given such payment method details as the billing address. When
called, it runs the change payment method algorithm.
5.3.11
respondWith() method
This method is used by the payment handler to provide a
PaymentHandlerResponse when the payment successfully
completes. When called, it runs the Respond to PaymentRequest
Algorithm with event and
handlerResponsePromise as arguments.
Should payment apps receive user data stored in the user agent upon
explicit consent from the user? The payment app could request
permission either at installation or when the payment app is first
invoked.
The topOrigin, paymentRequestOrigin,
paymentRequestId, methodData,
total, modifiers, and
instrumentKey members share their definitions with those
defined for PaymentRequestEvent
5.3.13
MethodData Population Algorithm
To initialize the value of the methodData, the user agent
MUST perform the following steps or their equivalent:
An invoked payment handler may or may not need to display information
about itself or request user input. Some examples of potential payment
handler display include:
The payment handler opens a window for the user to provide an
authorization code.
The payment handler opens a window that makes it easy for the user
to confirm payment using default information for that site provided
through previous user configuration.
When first selected to pay in a given session, the payment handler
opens a window. For subsequent payments in the same session, the
payment handler (through configuration) performs its duties without
opening a window or requiring user interaction.
A payment handler that requires visual display and user
interaction, may call openWindow() to display a page to the user.
Note
Since user agents know that this method is connected to the
PaymentRequestEvent, they SHOULD render the window in a way that
is consistent with the flow and not confusing to the user. The
resulting window client is bound to the tab/window that initiated the
PaymentRequest. A single payment handlerSHOULD NOT be
allowed to open more than one client window using this method.
This example shows how to write a service worker that listens to the
PaymentRequestEvent. When a PaymentRequestEvent is
received, the service worker opens a window to interact with the
user.
The Web Payments Working Group plans to revisit these two examples.
Using the simple scheme described above, a trivial HTML page that is
loaded into the payment handler window to implement the
basic card scheme might look like the following:
A JSON-serializable object that provides a payment
method specific message used by the merchant to process the
transaction and determine successful fund transfer.
The user agent receives a successful response from the payment
handler through resolution of the Promise provided to the
respondWith()
function of the corresponding PaymentRequestEvent interface.
The application is expected to resolve the Promise with a
PaymentHandlerResponse instance containing the payment
response. In case of user cancellation or error, the application
may signal failure by rejecting the Promise.
If the Promise is rejected, the user agent MUST run the
payment app failure algorithm. The exact details of this
algorithm are left to implementers. Acceptable behaviors include,
but are not limited to:
Letting the user try again, with the same payment handler or
with a different one.
[payment-request] defines an ID that parties in the
ecosystem (including payment app providers and payees) can use for
reconciliation after network or other failures.
8.
Security and Privacy Considerations
8.1
Information about the User Environment
The API does not share information about the user's registered
payment handlers. Information from origins is only shared with the
payee with the consent of the user.
User agents should not share payment request information with any
payment handler until the user has selected that payment handler.
In a browser that supports Payment Handler API, when a merchant
creates a PaymentRequest object with URL-based payment method
identifiers, CanMakePaymentEvent will fire in registered
payment handlers from a finite number of origins: the origins of the
payment method manifests and their supported origins. This
means that a registered payment handler will know that a user has
visited a website before the user has selected that payment handler
to complete a transaction. This behavior is similar to the status quo
where a merchant embeds a third-party iframe in a checkout page.
However, because user agents enable users to disable the
CanMakePaymentEvent and users can choose to uninstall payment
handlers, this approach improves upon the iframe status quo.
User agents should allow users to disable support for the
CanMakePaymentEvent.
8.2
User Consent to Install a Payment Handler
This specification does not define how the user agent establishes
user consent when set() is first called. The user agent might
prompt the user as a result of set(), or might not if consent
has been established previously through manual configuration by the
user or usage patterns.
User agents MAY reject a set() promise for security
reasons (e.g., due to an invalid SSL certificate) and SHOULD notify
the user when this happens.
8.3
User Consent before Payment
One goal of this specification is to minimize the user
interaction required to make a payment. At the same time, user agents
must not permit combinations of configurations that would enable
invoking Web sites to invoke payment request and receive payments
silently.
The user agent is not required to make available payment handlers
that pose security issues. Security issues might include:
Certificates that are expired, revoked, self-signed, and so
on.
Mixed content
Page available through HTTPs redirects to one that is not.
Payment handler is known from safe browsing database to be
malicious
When a payment handler is unavailable for security reasons, the
user agent should provide rationale to the payment handler
developers (e.g., through console messages) and may also inform
the user to help avoid confusion.
8.6
Supported Origin
Payment method manifests authorize origins to distribute
payment apps for a given payment method. When the user agent is
determining whether a payment handler matches the origin listed in
a payment method manifest, the user agent uses the scope URL
of the payment handler's service worker registration.
8.7
Data Validation
To mitigate the scenario where a hijacked payee site submits
fraudlent or malformed payment method data (or, for that matter,
payment request data) to the payee's server, the payee's server
should validate the data format and correlate the data with
authoritative information on the server such as accepted payment
methods, total, display items, and shipping address.
8.8
Private Browsing Mode
When the Payment Request API is invoked in a "private browsing
mode," the user agent should launch payment handlers in a private
context. This will generally prevent sites from accessing any
previously-stored information. In turn, this is likely to require
either that the user log in to the origin or re-enter payment
instrument details.
The CanMakePaymentEvent event should not be fired in
private browsing mode. The user agent should behave as if
respondWith()
was called with false. We acknowledge a consequent
risk: if an entity controls both the origin of the Payment Request
API call and the origin of the payment handler, that entity may be
able to deduce that the user may be in private browsing mode.
9.
Payment Handler Display Considerations
This section is non-normative.
When ordering payment handlers and payment instruments, the user agent
is expected to honor user preferences over other preferences. User
agents are expected to permit manual configuration options, such as
setting a preferred payment handler or instrument display order for an
origin, or for all origins.
User experience details are left to implementers.
10.
Dependencies
This specification relies on several other underlying specifications.
When this specification says to throw an error, the user agent must
throw an error as described in [WEBIDL]. When this occurs in a
sub-algorithm, this results in termination of execution of the
sub-algorithm and all ancestor algorithms until one is reached that
explicitly describes procedures for catching exceptions.
As well as sections marked as non-normative, all authoring guidelines,
diagrams, examples, and notes in this specification are non-normative.
Everything else in this specification is normative.
The key words MAY, MUST, SHOULD, and SHOULD NOT in this document
are to be interpreted as described in
BCP 14
[RFC2119]
[RFC8174] when, and only when, they appear
in all capitals, as shown here.
There is only one class of product that can claim conformance to this
specification: a user agent.
User agents MAY implement algorithms given in this specification in any
way desired, so long as the end result is indistinguishable from the
result that would be obtained by the specification's algorithms.
User agents MAY impose implementation-specific limits on otherwise
unconstrained inputs, e.g., to prevent denial of service attacks, to
guard against running out of memory, or to work around
platform-specific limitations. When an input exceeds
implementation-specific limit, the user agent MUST throw, or, in the
context of a promise, reject with, a TypeError optionally
informing the developer of how a particular input exceeded an
implementation-specific limit.
