[w3c/webpayments] Finer points of integration with Web App Manifest (#225)

Re: Zach Koch's [Payment Manifest Proposal V2](https://github.com/zkoch/zkoch.github.io/blob/master/pmi-v2.md)

(Pasting a rambled thought train from a [blink-dev thread](https://groups.google.com/a/chromium.org/forum/#!forum/blink-dev).)

Firstly, I'm not sure why Web Payments is going to mandate things specific to Play (i.e., the Android platform). How will this work on other platforms? Will you need to specify a native app for each platform? Will we need to specify additional metadata in other platforms for `related_applications`?

This proposes adding two new fields to the related_applications struct. This is already kind of a dumping ground for proprietary metadata (since the `id` field is at the discretion of the platform, and specific platforms are not part of the standard). But the manifest spec currently doesn't allow for arbitrary extra fields to be added by platform, so we should work out a way to do that in a future-proof way. Maybe we just say "any platform can add new proprietary fields", or maybe we want to add a standard-named field `meta`, which is a dict that can contain arbitrary JSON content.

Lastly, it doesn't say what those two fields are used for. I assume `sha256_cert_fingerprints` is to verify that the Android app matches that fingerprint (so you can't just have a random side-loaded app with the same app ID). Would we be incorporating this checking into all the things that use `related_applications`? Or just web payments?

And what is `version` for? Minimum? Maximum? Is it supposed to match the Android version code? What if I want to define rules for a range of allowed versions? Is this going to break if a new version of the APK rolls out?

Matt

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/webpayments/issues/225