MerchantValidationEvent
interface
Merchant validation is the process by which a payment handler validates the identity of a merchant against some |value| (usually some cryptographic challenge response). Validated merchants are allowed to interface with a payment handler. Details of how actual validation is performed is outside the scope of this specification.
This feature was removed from [[[Payment-Request]]] due to lack of interoperable support. However, as it is implemented by at least one browser engine, the Working Group decided to publish this document as a Working Group Note.
partial interface PaymentRequest { attribute EventHandler onmerchantvalidation; };
A {{PaymentRequest}}'s {{PaymentRequest/onmerchantvalidation}} attribute is an {{EventHandler}} for a {{MerchantValidationEvent}} named "merchantvalidation".
[SecureContext, Exposed=Window] interface MerchantValidationEvent : Event { constructor(DOMString type, optional MerchantValidationEventInit eventInitDict = {}); readonly attribute DOMString methodName; readonly attribute USVString validationURL; undefined complete(Promise<any> merchantSessionPromise); };
Instances of {{MerchantValidationEvent}} are created with the internal slots in the following table:
Internal Slot | Description (non-normative) |
---|---|
[[\waitForUpdate]] | A boolean indicating whether a {{PaymentResponse/complete()}}-initiated update is currently in progress. |
The event constructing steps, which take a {{MerchantValidationEvent}} |event:MerchantValidationEvent|, are as follows:
When getting, returns the value it was initialized with. See {{MerchantValidationEvent/methodName}} member of {{MerchantValidationEventInit}} for more information.
A URL from which a developer can fetch payment handler-specific verification data. By then passing that data (or a promise that resolves with that data) to {{PaymentResponse/complete()}}, the user agent can verify that the payment request is from an authorized merchant.
When getting, returns the value it was initialized with.
The {{MerchantValidationEvent}}'s
complete(|merchantSessionPromise|)
method MUST act as
follows:
dictionary MerchantValidationEventInit : EventInit { DOMString methodName = ""; USVString validationURL = ""; };
For payment handlers that support merchant validation, the user agent runs the request merchant validation algorithm. The algorithm takes a {{USVString}} |merchantSpecificURL|, provided by the payment handler:
The validate merchant's details algorithm takes a {{Promise}} |opaqueDataPromise| and a {{PaymentRequest}} |request|. The steps are conditional on the |opaqueDataPromise| settling. If |opaqueDataPromise| never settles then the payment request is blocked. The user agent SHOULD provide the user with a means to abort a payment request. Implementations MAY choose to implement a timeout for pending updates if |opaqueDataPromise| doesn't settle in a reasonable amount of time. If an implementation chooses to implement a timeout, they MUST execute the steps listed below in the "upon rejection" path. Such a timeout is a fatal error for the payment request.
It is important that the {{MerchantValidationEvent/validationURL}} in a {{MerchantValidationEvent}} does not expose personally identifying information to unauthorized parties.
Event name | Interface | Dispatched when… | Target |
---|---|---|---|
merchantvalidation
|
{{MerchantValidationEvent}} | The user agent requires the merchant to perform merchant validation. | {{PaymentRequest}} |