Status of this document
This section describes the status of this document at the time of its publication. Other documents may supersede this document. A list of current W3C publications and the latest revision of this technical report can be found in the W3C technical reports index at https://www.w3.org/TR/.
The Web Payments Working Group maintains a list of all bug reports that the group has not yet addressed. This draft highlights some of the pending issues that are still to be discussed in the working group. No decision has been taken on the outcome of these issues including whether they are valid. Pull requests with proposed specification text for outstanding issues are strongly encouraged.
This document was published by the Web Payments Working Group as a Working Draft. This document is intended to become a W3C Recommendation.
This document is a First Public Working Draft.
Publication as a First Public Working Draft does not imply endorsement by the W3C Membership. This is a draft document and may be updated, replaced or obsoleted by other documents at any time. It is inappropriate to cite this document as other than work in progress.
This document was produced by a group operating under the W3C Patent Policy. W3C maintains a public list of any patent disclosures made in connection with the deliverables of the group; that page also includes instructions for disclosing a patent. An individual who has actual knowledge of a patent which the individual believes contains Essential Claim(s) must disclose the information in accordance with section 6 of the W3C Patent Policy.
This document is governed by the 1 March 2017 W3C Process Document.
1. Introduction
This section and its sub-sections are non-normative.
1.1. Use cases
This specification intends to address the following use cases:
-
The owner of a payment method wishes to authorize only certain parties to distribute payment apps that are capable of implementing the payment method. In this use case, the browser helps to ensure that for that payment method, the user can only invoke payment apps from parties authorized by the owner of the payment method.
-
In addition, the owner of a payment method wishes to confirm the authenticity of a particular payment app (e.g., via a digital signature for that app).
-
When the user has not yet installed a payment app for a payment method, the user agent can provide an improved user experience for procuring one.
This is accomplished via the requirement that every payment method whose identifier is URL-based will provide a payment method manifest file in JSON format containing two key pieces of information:
-
any default payment apps that are associated with this payment method, referenced as absolute-URL strings giving the URL of their web app manifests; and
-
any other origins that are permitted to return payment credentials for this payment method.
1.2. Accessing the manifest
The resource identified by the payment method identifier URL does not directly contain the
machine-readable payment method manifest. It is often a generic URL (such as
"https://alicepay.com/
") which is more suitable for human-readable content. Instead, a
HTTP Link header is used to direct user agents seeking out the payment method manifest toward
another location. [RFC8288]
For an example payment method AlicePay, with payment method identifier "https://alicepay.com/
", a user agent might issue a request to that payment method identifier URL as follows:
HEAD / HTTP/2 Host: alicepay.com User-Agent: Mellblomenator/9000
The server would then respond:
HTTP/2 204 Link: </pay/payment-manifest.json>; rel="payment-method-manifest"
1.3. Example manifest file
Continuing our example from §1.2 Accessing the manifest, the AlicePay payment method could provide the
following payment method manifest file at https://alicepay.com/pay/payment-manifest.json
:
{ "default_applications": ["https://alicepay.com/pay/app/webappmanifest.json"], "supported_origins": [ "https://bobpay.xyz", "https://alicepay.friendsofalice.example" ] }
This indicates that, if the user agent does not have a payment app for AlicePay installed, it
can locate one by consulting the web app manifest at
"https://alicepay.com/pay/app/webappmanifest.json
".
It also indicates that, apart from this default payment app, AlicePay also allows payment apps hosted at the two indicated origins to be used for AlicePay. This means that if the user agent ever encounters payment apps hosted at those origins claiming support for AlicePay, it can allow them to act as payment apps for the AlicePay payment method.
The manifest file could also omit the "supported_origins
" key, if no third-party payment apps are supported for the payment method in question, or it could use the value
"*
" instead of an array of origins, to indicate that any third party is allowed to
support the payment method.
2. Manifest format
A valid payment method manifest file is a UTF-8 encoded file containing contents parseable as a JSON object. The resulting JSON object must contain
at most two items, with the possible keys "default_applications
" and
"supported_origins
".
The value of the default_applications
key, if present, must be a non-empty JSON array.
Each item in the array must be an absolute-URL string such that the resulting parsed URL's scheme is "https
".
The value of the supported_origins
key, if present, must be either the string
"*
", or a non-empty JSON array. In the latter case, each item in the array must be an absolute-URL string that represents an HTTPS origin. Formally, the string must be equal to
the serialization of the resulting parsed URL's origin.
Web developers must ensure that all of their payment method manifests are valid.
As with all conformance requirements on the contents of files, these are web-developer facing, and not implementer-facing. The exact processing model (given in §3 Processing model) governs how implementers process all payment method manifest files, including invalid ones.
{ "default_applications": ["https://alicepay.com/pay/app/webappmanifest.json"], "created_by": "Alice", "created_in": "Wonderland" }
This could change in the future, for example if the processing model later expands to define a
meaning for a new standard "created_by
" key that requires it to be an object instead
of a string. To avoid situations like this, web developers are best served by ensuring validity of their payment method manifests, and thus avoiding any unpleasant surprises.
3. Processing model
3.1. Modifications to Payment Request API
This specification integrates with the rest of the Payment Request ecosystem by modifying the PaymentRequest(methodData, details, options)
constructor. It adds the following
steps, before the algorithm completes and returns the newly-constructed PaymentRequest
object.
In what follows, let request be the PaymentRequest
instance being constructed. [PAYMENT-REQUEST]
-
Let identifiers be a list consisting of the first item of each pair in request.[[serializedMethodData]].
-
Let client be the current settings object.
-
Ingest payment method manifests given identifiers and client.
These steps are what kicks off the whole process. The rest of §3 Processing model is concerned with defining how this process eventually leads to new payment apps being available for the user.
As this specification gains multi-implementer interest, we anticipate moving this section into the Payment Request API specification itself, instead of maintaining a monkeypatch here.
3.2. Ingesting payment method manifests
Given a list of payment method identifiers identifiers, as well as an environment settings object client, the user agent may run the following steps, to ingest payment method manifests:
-
Fetch payment method manifests, given identifiers and client, and wait for this to asynchronously complete with manifestsMap. If the result is failure, return.
-
For each identifier → manifest of manifestsMap:
-
Let parsed be the result of validating and parsing manifest. If this returns failure, continue.
-
For each url in parsed’s default applications:
-
Fetch the web app manifest at url given client, and wait for it to asynchronously complete with webAppManifestString. If the result is failure, continue.
-
Let webAppManifest be the result of running the steps for processing a web app manifest given webAppManifestString.
The steps for processing a web app manifest are very forgiving and will return empty objects or objects missing crucial fields instead of failing. User agents will need to separately validate the processed web app manifest to ensure it contains enough data for their purposes in the next step.
-
In a user-agent-specific way, use the resulting processed web app manifest webAppManifest to install any applicable payment apps for the payment method identified by identifier.
In the future, the plan is for there to be a user-agent-independent way to use the resulting processed web app manifest, by consulting its
serviceworker
field and using that to install a web-based payment app conforming to the Payment Handler API specification. [PAYMENT-HANDLER]
-
-
Associate the supported origins to identifier so that the user agent can use it in the future to determine what third-party payment apps can be displayed for the payment method identified by identifier.
-
3.3. Fetching payment method manifests
To fetch payment method manifests, given a list of JavaScript strings supportedMethods and an environment settings object client, perform the following steps. This algorithm will asynchronously complete with a map (possibly empty) from URLs to byte sequences, mapping payment method identifiers to the contents of the corresponding manifest.
-
Let identifierURLs be an empty list.
-
For each string of supportedMethods:
-
Let identifierURL be the result of basic URL parsing string. If the result is failure, continue.
The result will be failure for any payment method identifier that is not a URL-based payment method identifier, i.e. for a standardized payment method identifier.
-
If validating identifierURL returns false, continue.
-
Optionally, continue.
This step allows implementations to skip any of the provided payment method identifiers for user-agent-specific reasons. §4 Security and privacy considerations discusses some reasons why user agents might prefer to only ingest certain identifiers.
-
Append identifierURL to identifierURLs.
-
-
Let manifestsMap be an empty map.
-
For each identifierURL of identifierURLs:
-
Let identifierRequest be a new request whose method is `
HEAD
`, url is identifierURL, client is client, mode is "cors
", credentials mode is "omit
", and redirect mode is "error
". -
Fetch identifierRequest. To process response with the response identifierResponse:
-
If identifierResponse is a network error or identifierResponse’s status is not an ok status, continue.
-
Let linkHeaders be the result of extracting header list values given `
Link
` and identifierResponse’s header list. -
Let manifestURLString be null.
-
For each linkHeader of linkHeaders:
-
Parse linkHeader according to the
link-value
production. If it cannot be parsed, continue. [RFC8288] -
If the parsed header contains a parameter whose name is an ASCII case-insensitive match for the string "
rel
" and whose value is an ASCII case-insensitive match for the string "payment-method-manifest
", then set manifestURLString to the string given by theURI-Reference
production in the parsed header, and break.
-
-
If manifestURLString is not null, then:
-
Let manifestURL be the result of basic URL parsing manifestURLString with base URL given by identifierResponse’s url. If the result is failure, continue.
-
Let manifestRequest be a new request whose url is manifestURL, client is client, mode is "
cors
", credentials mode is "omit
", and redirect mode is "error
". -
Fetch manifestRequest. To process response end-of-body with the response manifestResponse:
-
If manifestResponse is a network error or manifestResponse’s status is not an ok status, continue.
-
Let body be manifestResponse’s body.
-
If body is null, continue.
-
Let reader be the result of getting a reader from body.
-
Let promise be the result of reading all bytes from body with reader.
-
Upon fulfillment of promise with a byte sequence bytes, set manifestsMap[identifierURL] to bytes.
-
-
-
-
-
Once all ongoing fetch algorithms initiated by the above steps are complete, including the specified process response and process response end-of-body steps, asynchronously complete this algorithm with manifestsMap.
3.4. Validating and parsing payment method manifests
A parsed payment method manifest is a struct containing two fields:
- default applications
-
An ordered set of URLs, possibly empty
- supported origins
-
Either the string "
*
", or an ordered set of origins
To validate and parse a byte sequence bytes purporting to contain a payment method manifest, perform the following steps. The result will either be a parsed payment method manifest, or failure.
-
Let parsed be the result of parsing JSON from bytes given bytes, in a user-agent defined JavaScript realm. If this throws an exception, return failure.
-
If Type(parsed) is not Object, return failure.
-
Let defaultApps be an empty ordered set.
-
Let defaultAppsValue be Get(parsed, "default_applications").
-
If defaultAppsValue is not undefined:
-
If IsArray(defaultAppsValue) is false, return failure.
-
Let defaultAppsList be CreateListFromArrayLike(defaultAppsValue, « String »). If this throws an exception, return failure.
-
If the size of defaultAppsList is 0, return failure.
-
For each defaultAppString in defaultAppsList:
-
Let defaultAppURL be the result of basic URL parsing defaultAppString. If the result is failure, return failure.
-
If defaultAppURL’s scheme is not "
https
", return failure. -
Append defaultAppURL to defaultApps.
-
-
-
Let supportedOrigins be an empty ordered set.
-
Let supportedOriginsValue be Get(parsed, "supported_origins").
-
If supportedOriginsValue is "
*
", set supportedOrigins to "*
". -
Otherwise, if supportedOriginsValue is not undefined:
-
If IsArray(supportedOriginsValue) is false, return failure.
-
Let supportedOriginsList be CreateListFromArrayLike(supportedOriginsValue, « String »). If this throws an exception, return failure.
-
If the size of supportedOriginsList is 0, return failure.
-
For each supportedOriginString in supportedOriginsList:
-
Let supportedOriginURL be the result of basic URL parsing supportedOriginString. If the result is failure, return failure.
-
If supportedOriginURL’s scheme is not "
https
", return failure. -
If supportedOriginURL’s username or password are not the empty string, return failure.
-
If supportedOriginURL’s path's size is not 0, return failure.
-
If supportedOriginURL’s query or fragment are not null, return failure.
-
-
-
Return a new parsed payment method manifest with default applications given by defaultApps and supported origins given by supportedOrigins.
default_applications
" or "supported_origins
"
will cause parsing to fail. That is, this is not a valid payment method manifest, and will
be rejected by the above algorithm:
{ "default_applications": ["https://alicepay.com/pay/app/webappmanifest.json"], "supported_origins": [] }
3.5. Fetching web app manifests
Because the determination of payment apps happens independent of any embedding HTML document, the procedure for obtaining a web app manifest that gives information about a default payment app is different from the usual steps for obtaining a web app manifest.
To fetch the web app manifest for a default payment app, given a URL url and an environment settings object client, perform the following steps. This algorithm will asynchronously complete with either a scalar value string or failure.
-
Let request be a new request whose url is url, client is client, mode is "
cors
", credentials mode is "omit
", and redirect mode is "error
". -
Fetch request. To process response end-of-body with the response response:
-
If response is a network error or response’s status is not an ok status, asynchronously complete this algorithm with failure.
-
Let body be response’s body.
-
If body is null, asynchronously complete this algorithm with failure.
-
Let reader be the result of getting a reader from body.
-
Let promise be the result of reading all bytes from body with reader.
-
Upon fulfillment of promise with a byte sequence bytes, asynchronously complete this algorithm with the result of UTF-8 decoding bytes.
-
Upon rejection of promise, asynchronously complete this algorithm with failure.
-
4. Security and privacy considerations
Ingesting payment method manifests might reveal information to a payment service about the activity of an end user. For example, a payment method that is only supported on one website might allow that payment provider to discover the IP addresses of users who visit that website.
One way to mitigate this is to fetch the manifests only for the payment apps that the user has installed or has explicitly expressed interest in. This confines the risk to only sharing the user’s IP address with those parties.
5. IANA considerations
5.1. The payment-method-manifest
link relation
This registration is for community review and will be submitted to the IESG for review, approval, and registration with IANA.
- Relation name
-
payment-method-manifest
- Description
-
Links to a payment method manifest, which describes a specific payment method within the Web Payments ecosystem.
- Reference
- Notes
-
See §3.3 Fetching payment method manifests for the specific manner in which such links are expected to be fetched, and §3.2 Ingesting payment method manifests for the larger context in which they are used.
Acknowledgments
§3 Processing model is based heavily on algorithms originally outlined by Rouslan Solomakhin.