This specification defines capabilities that enable Web applications to
handle requests for payment.
Status of This Document
This section describes the status of this
document at the time of its publication. A list of current W3C
publications and the latest revision of this technical report can be found
in the W3C technical reports index at
https://www.w3.org/TR/.
The Web Payments Working Group maintains a list of all bug
reports that the group has not yet addressed. This draft highlights
some of the pending issues that are still to be discussed in the
working group. No decision has been taken on the outcome of these
issues including whether they are valid. Pull requests with proposed
specification text for outstanding issues are strongly encouraged.
Publication as a Working Draft does not
imply endorsement by W3C and its Members.
This is a draft document and may be updated, replaced or obsoleted by other
documents at any time. It is inappropriate to cite this document as other
than work in progress.
This document was produced by a group
operating under the
W3C Patent
Policy.
W3C maintains a
public list of any patent disclosures
made in connection with the deliverables of
the group; that page also includes
instructions for disclosing a patent. An individual who has actual
knowledge of a patent which the individual believes contains
Essential Claim(s)
must disclose the information in accordance with
section 6 of the W3C Patent Policy.
This specification does not address how software built with
operating-system specific mechanisms (i.e., "native apps") handle
payment requests.
2.
Overview of Handling Payment Requests
In this document we envision the following flow:
An origin requests permission from the user to handle payment
requests for a set of supported payment methods. For example, a user
visiting a retail or bank site may be prompted to register a payment
handler from that origin. The origin establishes the scope of the
permission but the origin's capabilities may evolve without requiring
additional user consent.
The method informs
the user agent decision whether to display this instrument as a
candidate for payment.
When the instrument matches what the payee accepts, the user
agent may display the name
and icon. These provide
hints about payment credentials that the user agent will return in
the PaymentHandlerResponse if the user selects this
instrument.
When the merchant (or other payee) calls the
[payment-request] method canMakePayment() or show()
(e.g., when the user pushes a button on a checkout page), the user
agent computes a list of candidate payment handlers, comparing the
payment methods accepted by the merchant with those known to the user
agent through any number of mechanisms, including, but not limited to:
Those previously registered through this API.
Those that may be registered through this API during the course of
the transaction, e.g., identified through a payment method
manifest.
Those registered through other mechanisms, e.g., the operating
system.
The user agent displays a set of choices to the user: the
registered instruments of
the candidate payment handlers. The user agent displays these choices
using information (labels and icons) provided at registration or
otherwise available from the Web app.
Once activated, the payment handler performs whatever steps are
necessary to handle the payment
request, and return an appropriate payment response to the
payee. If interaction with the user is necessary, the payment
handler can open a window for that purpose.
The user agent receives a response asynchronously once the payment
handler has finished handling the request. The response becomes the
PaymentResponse (of [payment-request]).
Note
An origin may implement a payment app with more than one service worker
and therefore multiple payment handlers may be registered per
origin. The handler that is invoked is determined by the selection made
by the user of a payment
instrument. The service worker which stored the payment instrument with its
PaymentManager
is the one that will be invoked.
2.1
Handling a Payment Request
This section is non-normative.
A payment handler is a Web application that can handle a
request for payment on behalf of the user.
The logic of a payment handler is driven by the payment methods that
it supports. Some payment methods expect little to no processing by
the payment handler which simply returns payment card details in the
response. It is then the job of the payee website to process the
payment using the returned data as input.
In contrast, some payment methods, such as a crypto-currency payments
or bank originated credit transfers, require that the payment handler
initiate processing of the payment. In such cases the payment handler
will return a payment reference, endpoint URL or some other data that
the payee website can use to determine the outcome of the payment (as
opposed to processing the payment itself).
Handling a payment request may include numerous interactions: with
the user through a new window or other APIs (such as
Web Cryptography API) or with other services and origins through web
requests or other means.
This specification does not address these activities that occur
between the payment handler accepting the PaymentRequestEvent and
the payment handler returning a response. All of these activities
which may be required to configure the payment handler and handle the
payment request, are left to the implementation of the payment
handler, including:
how the user establishes an account with an origin that provides
payment services.
how an origin authenticates a user.
how communication takes place between the payee server and the
payee Web application, or between a payment app origin and other
parties.
Thus, an origin will rely on many other Web technologies defined
elsewhere for lifecycle management, security, user authentication,
user interaction, and so on.
This specification does not address how third-party mobile payment
apps interact (through proprietary mechanisms) with user agents, or
how user agents themselves provide simple payment app functionality.
Figure 2
Payment Handler API enables Web apps to handle payments. Other
types of payment apps may use other (proprietary) mechanisms.
3.
Registration
One registers a payment handler with the user agent when either
assigning the first PaymentInstrument to it through the
set() method or through a just-in-time (JIT)
registration mechanism.
3.1
Just-in-time registration
If a payment handler is not registered when a merchant invokes
show() method, a user agent may allow the user to
register this payment handler during the transaction ("just-in-time").
The remaining content of this section is non-normative.
The PaymentManager is used by payment handlers to manage
their associated instruments as well as supported payment methods and
delegations.
3.3.1
instruments attribute
This attribute allows manipulation of payment instruments
associated with a service worker (and therefore its payment
handler). To be a candidate payment handler, a handler must have at
least one registered payment instrument to present to the user.
That instrument needs to match the payment methods specified by the
payment request.
3.3.2
userHint attribute
When displaying payment handler name and icon, the user agent may
use this string to improve the user experience. For example, a user
hint of "**** 1234" can remind the user that a particular card is
available through this payment handler. When a agent displays all
payment instruments available through a payment handler, it may
cause confusion to display the additional hint.
The PaymentInstruments interface represents a collection of
payment instruments, each uniquely identified by an
instrumentKey. The instrumentKey identifier
will be passed to the payment handler to indicate the
PaymentInstrument selected by the user, if any.
3.5.1
delete() method
When called, this method executes the following steps:
The name member is a string that represents the label for
this PaymentInstrument as it is usually displayed to the
user.
icons member
The icons member is an array of image objects that can
serve as iconic representations of the payment instrument when
presented to the user for selection.
The src member is used to specify the ImageObject's
source. It is a URL from which the user agent can fetch the
image’s data.
sizes member
The sizes member is used to specify the
ImageObject's sizes. It follows the spec of sizes member
in HTML link element, which is a string consisting of an
unordered set of unique space-separated tokens which are
ASCII case-insensitive that represents the dimensions of an
image. Each keyword is either an ASCII case-insensitive match
for the string "any", or a value that consists of two valid
non-negative integers that do not have a leading U+0030 DIGIT
ZERO (0) character and that are separated by a single U+0078
LATIN SMALL LETTER X or U+0058 LATIN CAPITAL LETTER X character.
The keywords represent icon sizes in raw pixels (as opposed to
CSS pixels). When multiple image objects are available, a user
agent MAY use the value to decide which icon is most suitable for
a display context (and ignore any that are inappropriate). The
parsing steps for the sizes member MUST follow
the parsing steps for HTML
link element sizes attribute.
type member
The type member is used to specify the
ImageObject's MIME type. It is a hint as to the media type
of the image. The purpose of this member is to allow a user agent
to ignore images of media types it does not support.
3.5.9
Convert image objects
When this algorithm with inputImages parameter is
invoked, the user agent must run the following steps:
According to the step 2.3, it is also possible to use the relative
url for image.src. The
following examples illustrate how relative URL resolution works in
different execution contexts.
Example 1: Resolving the relative URL of image.src in window context.
<-- In this example, code is located in https://www.example.com/bobpay/index.html -->
<script>const instrumentKey = "c8126178-3bba-4d09-8f00-0771bcfd3b11";
navigator.serviceWorker.register("/register/sw.js");
const registration = await navigator.serviceWorker.ready;
await registration.paymentManager.paymentInstruments.set({
instrumentKey,
{
name: "My Bob Pay Account: john@example.com",
method: "https://bobpay.com",
icons: [{
src: "icon/lowres.webp",
sizes: "48x48",
type: "image/webp"
}]
});
const storedInstrument =
await registration.paymentManager.paymentInstruments.get(instrumentKey);
// storedInstrument.icons[0].src == "https://www.example.com/bobpay/icon/lowres.webp";</script>
Example 2: Resolving the relative URL of image.src in service worker context.
// In this example, code is located in https://www.example.com/register/sw.jsconst instrumentKey = "c8126178-3bba-4d09-8f00-0771bcfd3b11";
await self.registration.paymentManager.paymentInstruments.set({
instrumentKey,
{
name: "My Bob Pay Account: john@example.com",
method: "https://bobpay.com",
icons: [{
src: "../bobpay/icon/lowres.webp",
sizes: "48x48",
type: "image/webp"
}]
});
const storedInstrument =
await registration.paymentManager.paymentInstruments.get(instrumentKey);
// storedInstrument.icons[0].src == "https://www.example.com/bobpay/icon/lowres.webp";
3.5.10
Registration Example
This section is non-normative.
The following example shows how to register a payment handler:
Implementations may impose a timeout for developers to respond to the
CanMakePaymentEvent. If the timeout expires, then the
implementation will behave as if respondWith()
was called with false.
This example shows how to write a service worker that listens to the
CanMakePaymentEvent. When a CanMakePaymentEvent is
received, the service worker always returns true.
Otherwise, if supported origins in
paymentMethodManifest is an ordered set of origin
that contains the paymentHandlerOrigin, fire the
CanMakePaymentEvent in the payment handler and return the
result.
Issue 117: Support for Abort() being delegated to Payment Handler
Payment Request API supports delegation of responsibility to manage an
abort to a payment app. There is a proposal to add a
paymentRequestAborted event to the Payment Handler interface. The event
will have a respondWith method that takes a boolean parameter
indicating if the paymentRequest has been successfully aborted.
The PaymentRequestDetailsUpdate contains the updated
total (optionally with modifiers and shipping options) and possible
errors resulting from user selection of a payment method, a shipping
address, or a shipping option within a payment handler.
A human readable string that explains why the user selected payment
method, shipping address or shipping option cannot be used.
5.2.2
total member
Updated total based on the changed payment method, shipping
address, or shipping option. The total can change, for example,
because the billing address of the payment method selected by the
user changes the Value Added Tax (VAT); Or because the shipping
option/address selected/provided by the user changes the shipping
cost.
5.2.3
modifiers member
Updated modifiers based on the changed payment method, shipping
address, or shipping option. For example, if the overall total has
increased by €1.00 based on the billing or shipping address, then
the totals specified in each of the modifiers should also increase
by €1.00.
5.2.4
shippingOptions member
Updated shippingOptions based on the changed shipping address. For
example, it is possible that express shipping is more expensive or
unavailable for the user provided country.
5.2.5
paymentMethodErrors member
Validation errors for the payment method, if any.
5.2.6
shippingAddressErrors member
Validation errors for the shipping address, if any.
5.3
The PaymentRequestEvent
The PaymentRequestEvent represents the data and methods available to
a Payment Handler after selection by the user. The user agent
communicates a subset of data available from the
PaymentRequest to the Payment Handler.
Returns a string that indicates the origin where a
PaymentRequest was initialized. When a PaymentRequest
is initialized in the topOrigin, the attributes have the
same value, otherwise the attributes have different values. For
example, when a PaymentRequest is initialized within an
iframe from an origin other than topOrigin, the value of
this attribute is the origin of the iframe. This attribute is
initialized by Handling a PaymentRequestEvent.
This attribute indicates the total amount being requested for
payment. It is of type PaymentCurrencyAmount dictionary as
defined in [payment-request], and initialized with a copy of the
total field of the PaymentDetailsInit provided when
the corresponding PaymentRequest object was instantiated.
5.3.6
modifiers attribute
This sequence of PaymentDetailsModifier dictionaries
contains modifiers for particular payment method identifiers (e.g.,
if the payment amount or currency type varies based on a
per-payment-method basis). It is populated from the
PaymentRequest using the Modifiers Population
Algorithm defined below.
5.3.7
paymentOptions attribute
The value of PaymentOptions in the
PaymentRequest. Available only when shippingAddress and/or
any subset of payer's contact information are requested.
This method is used by the payment handler to show a window to the
user. When called, it runs the open window algorithm.
5.3.10
changePaymentMethod()
method
This method is used by the payment handler to get updated total
given such payment method details as the billing address. When
called, it runs the change payment method algorithm.
5.3.11
changeShippingAddress()
method
This method is used by the payment handler to get updated payment
details given the shippingAddress. When called, it runs the
change payment details algorithm.
5.3.12
changeShippingOption()
method
This method is used by the payment handler to get updated payment
details given the shippingOption identifier. When called, it runs
the change payment details algorithm.
5.3.13
respondWith() method
This method is used by the payment handler to provide a
PaymentHandlerResponse when the payment successfully
completes. When called, it runs the Respond to PaymentRequest
Algorithm with event and handlerResponsePromise as
arguments.
Should payment apps receive user data stored in the user agent upon
explicit consent from the user? The payment app could request
permission either at installation or when the payment app is first
invoked.
The topOrigin, paymentRequestOrigin,
paymentRequestId, methodData,
total, modifiers, paymentOptions,
and shippingOptions members share their definitions with
those defined for PaymentRequestEvent
5.3.15
MethodData Population Algorithm
To initialize the value of the methodData, the user agent
MUST perform the following steps or their equivalent:
An invoked payment handler may or may not need to display information
about itself or request user input. Some examples of potential payment
handler display include:
The payment handler opens a window for the user to provide an
authorization code.
The payment handler opens a window that makes it easy for the user
to confirm payment using default information for that site provided
through previous user configuration.
When first selected to pay in a given session, the payment handler
opens a window. For subsequent payments in the same session, the
payment handler (through configuration) performs its duties without
opening a window or requiring user interaction.
A payment handler that requires visual display and user
interaction, may call openWindow() to display a page to the user.
Note
Since user agents know that this method is connected to the
PaymentRequestEvent, they SHOULD render the window in a way that is
consistent with the flow and not confusing to the user. The resulting
window client is bound to the tab/window that initiated the
PaymentRequest. A single payment handlerSHOULD NOT be
allowed to open more than one client window using this method.
This example shows how to write a service worker that listens to the
PaymentRequestEvent. When a PaymentRequestEvent is received,
the service worker opens a window to interact with the user.
asyncfunctiongetPaymentResponseFromWindow() {
returnnewPromise((resolve, reject) => {
self.addEventListener("message", listener = e => {
self.removeEventListener("message", listener);
if (!e.data || !e.data.methodName) {
reject();
return;
}
resolve(e.data);
});
});
}
self.addEventListener("paymentrequest", e => {
e.respondWith((async() => {
// Open a new window for providing payment UI to user.const windowClient = await e.openWindow("payment_ui.html");
// Send data to the opened window.
windowClient.postMessage({
total: e.total,
modifiers: e.modifiers
});
// Wait for a payment response from the opened window.returnawait getPaymentResponseFromWindow();
})());
});
Using the simple scheme described above, a trivial HTML page that is
loaded into the payment handler window might look like the
following:
A JSON-serializable object that provides a payment
method specific message used by the merchant to process the
transaction and determine successful fund transfer.
The user agent receives a successful response from the payment
handler through resolution of the Promise provided to the
respondWith function of the corresponding
PaymentRequestEvent interface. The application is expected to
resolve the Promise with a PaymentHandlerResponse instance
containing the payment response. In case of user cancellation or
error, the application may signal failure by rejecting the Promise.
If the Promise is rejected, the user agent MUST run the
payment app failure algorithm. The exact details of this
algorithm are left to implementers. Acceptable behaviors include,
but are not limited to:
Letting the user try again, with the same payment handler or
with a different one.
Serialize required members of handlerResponse (
methodName and details are always required;
shippingAddress and shippingOption are
required when shippingRequired is true;
payerName, payerEmail, and
payerPhone are required when
payerNameRequired, payerEmailRequired, and
payerPhoneRequired are true, respectively.):
For each memberin
handlerResponseLet serializeMemberbe
the result of StructuredSerializewith
handlerResponse.member. Rethrow any
exceptions.
[payment-request] defines an ID that parties in the
ecosystem (including payment app providers and payees) can use for
reconciliation after network or other failures.
8.
Security and Privacy Considerations
8.1 Addresses
The Web Payments Working Group removed support for shipping and
billing addresses from the original version of Payment Request API due
to privacy issues; see issue
842. In order to provide documentation for implementations that
continue to support this capability, the Working Group is now
restoring the feature with an expectation of addressing privacy
issues. In doing so the Working Group may also make changes to Payment
Request API based on the evolution of other APIs (e.g., the Content
Picker API).
8.2
Information about the User Environment
The API does not share information about the user's registered
payment handlers. Information from origins is only shared with the
payee with the consent of the user.
User agents should not share payment request information with any
payment handler until the user has selected that payment handler.
In a browser that supports Payment Handler API, when a merchant
creates a PaymentRequest object with URL-based payment method
identifiers, a CanMakePaymentEvent will fire in registered
payment handlers from a finite set of origins: the origins of the
payment method manifests and their supported origins. This
event is fired before the user has selected that payment handler,
but it contains no information about the triggering origin (i.e.,
the merchant website) and so cannot be used to track users directly.
A merchant website sends notice via a backend channel (e.g., the
fetch API) to a payment handler origin, sharing that they are about
to construct a PaymentRequest object.
The merchant website then constructs the PaymentRequest,
triggering a CanMakePaymentEvent to be fired at the installed
payment handler.
That payment handler contacts its own origin, and on the server
side attempts to join the two requests.
User agents should allow users to disable support for the
CanMakePaymentEvent.
In a browser that supports Payment Handler API,
CanMakePaymentEvent will fire in registered payment handlers
that can provide all merchant requested information including
shipping address and payer's contact information whenever needed.
8.3
User Consent to Install a Payment Handler
This specification does not define how the user agent establishes
user consent when set() is first called. The user agent might
prompt the user as a result of set(), or might not if consent
has been established previously through manual configuration by the
user or usage patterns.
User agents MAY reject a set() promise for security
reasons (e.g., due to an invalid SSL certificate) and SHOULD notify
the user when this happens.
8.4
User Consent before Payment
One goal of this specification is to minimize the user
interaction required to make a payment. However, we also want to
ensure that the user has an opportunity to consent to making a
payment. Because payment handlers are not required to open a window
for user interaction, user agents should take necessary steps to make
sure the user (1) is made aware when a payment request is invoked,
and (2) has an opportunity to interact with a payment handler before
the merchant receives the response from that payment handler.
8.5
User Awareness about Sharing Data Cross-Origin
By design, a payment handler from one origin shares data with
another origin (e.g., the merchant site).
To mitigate phishing attacks, it is important that user agents
make clear to users the origin of a payment handler.
User agents should help users understand that they are sharing
information cross-origin, and ideally what information they are
sharing.
The user agent is not required to make available payment handlers
that pose security issues. Security issues might include:
Certificates that are expired, revoked, self-signed, and so
on.
Mixed content
Page available through HTTPs redirects to one that is not.
Payment handler is known from safe browsing database to be
malicious
When a payment handler is unavailable for security reasons, the
user agent should provide rationale to the payment handler
developers (e.g., through console messages) and may also inform
the user to help avoid confusion.
8.8
Supported Origin
Payment method manifests authorize origins to distribute
payment apps for a given payment method. When the user agent is
determining whether a payment handler matches the origin listed in
a payment method manifest, the user agent uses the scope URL
of the payment handler's service worker registration.
8.9
Data Validation
To mitigate the scenario where a hijacked payee site submits
fraudlent or malformed payment method data (or, for that matter,
payment request data) to the payee's server, the payee's server
should validate the data format and correlate the data with
authoritative information on the server such as accepted payment
methods, total, display items, and shipping address.
8.10
Private Browsing Mode
When the Payment Request API is invoked in a "private browsing
mode," the user agent should launch payment handlers in a private
context. This will generally prevent sites from accessing any
previously-stored information. In turn, this is likely to require
either that the user log in to the origin or re-enter payment
instrument details.
The CanMakePaymentEvent event should not be fired in
private browsing mode. The user agent should behave as if
respondWith()
was called with false. We acknowledge a consequent risk: if an
entity controls both the origin of the Payment Request API call and
the origin of the payment handler, that entity may be able to
deduce that the user may be in private browsing mode.
9.
Payment Handler Display Considerations
This section is non-normative.
When ordering payment handlers and payment instruments, the user agent
is expected to honor user preferences over other preferences. User
agents are expected to permit manual configuration options, such as
setting a preferred payment handler or instrument display order for an
origin, or for all origins.
User experience details are left to implementers.
10.
Dependencies
This specification relies on several other underlying specifications.
As well as sections marked as non-normative, all authoring guidelines, diagrams, examples, and notes in this specification are non-normative. Everything else in this specification is normative.
The key words MAY, MUST, SHOULD, and SHOULD NOT in this document
are to be interpreted as described in
BCP 14
[RFC2119] [RFC8174]
when, and only when, they appear in all capitals, as shown here.
There is only one class of product that can claim conformance to this
specification: a user agent.
User agents MAY implement algorithms given in this specification in any
way desired, so long as the end result is indistinguishable from the
result that would be obtained by the specification's algorithms.
User agents MAY impose implementation-specific limits on otherwise
unconstrained inputs, e.g., to prevent denial of service attacks, to
guard against running out of memory, or to work around
platform-specific limitations. When an input exceeds
implementation-specific limit, the user agent MUST throw, or, in the
context of a promise, reject with, a TypeError optionally informing
the developer of how a particular input exceeded an
implementation-specific limit.
