1. Introduction
This section and its sub-sections are non-normative.
1.1. Use cases
This specification intends to address the following use cases:
-
The owner of a payment method wishes to authorize only certain parties to distribute payment apps that are capable of implementing the payment method. In this use case, the browser helps to ensure that for that payment method, the user can only invoke payment apps from parties authorized by the owner of the payment method.
-
In addition, the owner of a payment method wishes to confirm the authenticity of a particular payment app (e.g., via a digital signature for that app).
-
When the user has not yet installed a payment app for a payment method, the user agent can provide an improved user experience for procuring one.
This is accomplished via the requirement that every payment method whose identifier is URL-based will provide a payment method manifest file in JSON format containing two key pieces of information:
-
any default payment apps that are associated with this payment method, referenced as valid URL strings giving the URL of their web app manifests; and
-
any other origins that are permitted to return payment credentials for this payment method.
1.2. Accessing the manifest
The machine-readable payment method manifest might be found either directly at the payment method identifier URL, or in a location indicated indirectly by following a HTTP
`Link
` header from that URL. [RFC8288]
This potential indirection allows the use of generic, human-readable URLs (such as
"https://alicepay.com/
") to serve as payment method identifiers, while still
locating the actual payment method manifest at a different URL.
For an example payment method AlicePay, with payment method identifier "https://alicepay.com/
", a user agent would issue a GET request to that payment method identifier URL as follows:
GET / HTTP/2 Host: alicepay.com User-Agent: Mellblomenator/9000
The server could then either respond with
HTTP/2 204 Link: </pay/payment-manifest.json>; rel="payment-method-manifest"
to redirect the user agent to "https://alicepay.com/pay/payment-manifest.json
", or
could respond with the JSON contents of the payment method manifest directly in a 200
-status response.
1.3. Example manifest file
Continuing our example from § 1.2 Accessing the manifest, the AlicePay payment method could provide the
following payment method manifest file at https://alicepay.com/pay/payment-manifest.json
:
{ "default_applications" : [ "app/webappmanifest.json" ], "supported_origins" : [ "https://bobpay.xyz" , "https://alicepay.friendsofalice.example" ] }
This indicates that, if the user agent does not have a payment app for AlicePay installed, it
can locate one by consulting the web app manifest at
"https://alicepay.com/pay/app/webappmanifest.json
".
It also indicates that, apart from this default payment app, AlicePay also allows payment apps hosted at the two indicated origins to be used for AlicePay. This means that if the user agent ever encounters payment apps hosted at those origins claiming support for AlicePay, it can allow them to act as payment apps for the AlicePay payment method.
The manifest file could also omit the "supported_origins
" key, if no third-party
payment apps are supported for the payment method in question.
2. Manifest format
A valid payment method manifest file is a UTF-8 encoded file containing contents parseable as a JSON object. The resulting JSON object must contain
at most two items, with the possible keys "default_applications
" and
"supported_origins
".
The value of the default_applications
key, if present, must be a non-empty JSON array.
Each item in the array must be a valid URL string such that the resulting URL's scheme, when parsed against the URL of the payment method manifest, is "https
".
The value of the supported_origins
key, if present, must be a non-empty JSON array.
Each item in the array must be an absolute-URL string that represents an HTTPS origin. Formally, the string must be equal to
the serialization of the resulting parsed URL's origin.
Web developers must ensure that all of their payment method manifests are valid.
As with all conformance requirements on the contents of files, these are web-developer facing, and not implementer-facing. The exact processing model (given in § 3 Processing model) governs how implementers process all payment method manifest files, including invalid ones.
{ "default_applications" : [ "app/webappmanifest.json" ], "created_by" : "Alice" , "created_in" : "Wonderland" }
This could change in the future, for example if the processing model later expands to define a
meaning for a new standard "created_by
" key that requires it to be an object instead
of a string. To avoid situations like this, web developers are best served by ensuring validity of their payment method manifests, and thus avoiding any unpleasant surprises.
3. Processing model
3.1. Modifications to Payment Request API
This specification integrates with the rest of the Payment Request ecosystem by modifying the PaymentRequest(methodData, details, options)
constructor. It adds the following
steps, before the algorithm completes and returns the newly-constructed PaymentRequest
object.
In what follows, let request be the PaymentRequest
instance being constructed. [PAYMENT-REQUEST]
-
Let identifiers be a list consisting of the first item of each pair in request.[[serializedMethodData]].
-
Let client be the current settings object.
-
Ingest payment method manifests given identifiers and client.
These steps are what kicks off the whole process. The rest of § 3 Processing model is concerned with defining how this process eventually leads to new payment apps being available for the user.
As this specification gains multi-implementer interest, we anticipate moving this section into the Payment Request API specification itself, instead of maintaining a monkeypatch here.
3.2. Ingesting payment method manifests
Given a list of payment method identifiers identifiers, as well as an environment settings object client, the user agent may run the following steps, to ingest payment method manifests:
-
Fetch payment method manifests, given identifiers and client, and wait for this to asynchronously complete with manifestsMap. If the result is failure, return.
-
For each identifierURL → (responseURL, manifest) of manifestsMap:
-
Let parsed be the result of validating and parsing manifest given responseURL. If this returns failure, continue.
-
For each webAppManifestURL in parsed’s default applications:
-
Fetch the web app manifest at webAppManifestURL given identifierURL and client, and wait for it to asynchronously complete with webAppManifestString. If the result is failure, continue.
-
Let webAppManifest be the result of running the steps for processing a web app manifest given webAppManifestString.
The steps for processing a web app manifest are very forgiving and will return empty objects or objects missing crucial fields instead of failing. User agents will need to separately validate the processed web app manifest to ensure it contains enough data for their purposes in the next step.
-
In a user-agent-specific way, use the resulting processed web app manifest webAppManifest to install any applicable payment apps for the payment method identified by identifier.
In the future, the plan is for there to be a user-agent-independent way to use the resulting processed web app manifest, by consulting its
serviceworker
field and using that to install a web-based payment app conforming to the Payment Handler API specification. [PAYMENT-HANDLER]
-
-
Associate the supported origins to identifier so that the user agent can use it in the future to determine what third-party payment apps can be displayed for the payment method identified by identifier.
-
3.3. Fetching payment method manifests
To fetch payment method manifests, given a list of JavaScript strings supportedMethods and an environment settings object client, perform the following steps. This algorithm will asynchronously complete with a map (possibly empty) from URLs to (URL, byte sequence) tuples, mapping payment method identifiers to the URL and contents of the corresponding manifest.
-
Let identifierURLs be an empty list.
-
For each string of supportedMethods:
-
Let identifierURL be the result of basic URL parsing string. If the result is failure, continue.
The result will be failure for any payment method identifier that is not a URL-based payment method identifier, i.e. for a standardized payment method identifier.
-
If validating identifierURL returns false, continue.
-
Optionally, continue.
This step allows implementations to skip any of the provided payment method identifiers for user-agent-specific reasons. § 4 Security and privacy considerations discusses some reasons why user agents might prefer to only ingest certain identifiers.
-
Append identifierURL to identifierURLs.
-
-
Let manifestsMap be an empty map.
-
For each identifierURL of identifierURLs:
-
Let manifestURLString be null.
-
Let identifierRequest be a new request whose method is `
GET
`, url is identifierURL, client is client, mode is "cors
", credentials mode is "omit
", redirect mode is "error
", and referrer policy is "strict-origin-when-cross-origin
". -
Let identifierFetchController be the result of fetching identifierRequest, with processResponse set to the following steps given response identifierResponse:
-
If identifierResponse is a network error or identifierResponse’s status is not an ok status, abort these steps.
-
Let linkHeaders be the result of extracting header list values given `
Link
` and identifierResponse’s header list. -
For each linkHeader of linkHeaders:
-
Parse linkHeader according to the
link-value
production. If it cannot be parsed, continue. [RFC8288] -
If the parsed header contains a parameter whose name is an ASCII case-insensitive match for the string "
rel
" and whose value is an ASCII case-insensitive match for the string "payment-method-manifest
", then set manifestURLString to the string given by theURI-Reference
production in the parsed header, and break.
-
-
If manifestURLString is not null, then:
-
Terminate identifierFetchController (since the body will not be needed).
-
Let manifestURL be the result of basic URL parsing manifestURLString with base URL given by identifierResponse’s URL. If the result is failure, then abort these steps.
-
Let manifestRequest be a new request whose URL is manifestURL, client is client, referrer is identifierResponse’s URL, mode is "
cors
", credentials mode is "omit
", and redirect mode is "error
". -
Fetch manifestRequest, with processResponseConsumeBody set to the following steps given manifestResponse and manifestBody:
-
and with processResponseConsumeBody set to the following steps given identifierResponse and identifierBody:
-
-
-
Once all ongoing fetch algorithms initiated by the above steps are complete, including the specified processResponse and processResponseConsumeBody steps, asynchronously complete this algorithm with manifestsMap.
3.4. Validating and parsing payment method manifests
A parsed payment method manifest is a struct containing two fields:
- default applications
-
An ordered set of URLs, possibly empty
- supported origins
-
An ordered set of origins
To validate and parse a byte sequence bytes purporting to contain a payment method manifest, given a URL url, perform the following steps. The result will either be a parsed payment method manifest, or failure.
-
Let string be the result of UTF-8 decoding bytes.
-
Let parsed be the result of parsing JSON into Infra values given string. If this throws an exception, return failure.
-
If parsed is not an ordered map, return failure.
-
Let defaultApps be an empty ordered set.
-
If parsed["
default_applications
"] exists:-
Let defaultAppsValue be parsed["
default_applications
"]. -
If defaultAppsValue is not a list, return failure.
-
If the size of defaultAppsValue is 0, return failure.
-
For each defaultApp in defaultAppsValue:
-
If defaultApp is not a string, return failure.
-
Let defaultAppURL be the result of basic URL parsing defaultApp, given the base URL url. If the result is failure, return failure.
-
If defaultAppURL’s scheme is not "
https
", return failure. -
Append defaultAppURL to defaultApps.
-
-
-
Let supportedOrigins be an empty ordered set.
-
If parsed["
supported_origins
"] exists:-
Let supportedOriginsValue be parsed["
supported_origins
"]. -
If supportedOriginsValue is not a list, return failure.
-
If the size of supportedOriginsValue is 0, return failure.
-
For each supportedOrigin in supportedOriginsValue:
-
If supportedOrigin is not a string, return failure.
-
Let supportedOriginURL be the result of basic URL parsing supportedOrigin. If the result is failure, return failure.
-
If supportedOriginURL’s scheme is not "
https
", return failure. -
If supportedOriginURL’s username or password are not the empty string, return failure.
-
If supportedOriginURL’s path's size is not 0, return failure.
-
If supportedOriginURL’s query or fragment are not null, return failure.
-
-
-
Return a new parsed payment method manifest with default applications given by defaultApps and supported origins given by supportedOrigins.
default_applications
" or "supported_origins
"
will cause parsing to fail. That is, this is not a valid payment method manifest, and will
be rejected by the above algorithm:
{ "default_applications" : [ "https://alicepay.com/pay/app/webappmanifest.json" ], "supported_origins" : [] }
3.5. Fetching web app manifests
Because the determination of payment apps happens independent of any embedding HTML document,
the procedure for obtaining a web app manifest that gives information about a default payment
app is different from the usual steps for link rel="manifest"
.
To fetch the web app manifest for a default payment app, given a URL url, a URL referrer, and an environment settings object client, perform the following steps. This algorithm will asynchronously complete with either a scalar value string or failure.
-
Let request be a new request whose url is url, client is client, referrer is referrer, mode is "
cors
", credentials mode is "omit
", and redirect mode is "error
". -
Fetch request, with processResponseConsumeBody set the following steps given response and body:
-
If response status is not an ok status, asynchronously complete this algorithm with failure.
-
If body is null or failure, asynchronously complete this algorithm with failure.
-
Asynchronously complete this algorithm with the result of UTF-8 decoding body.
-
4. Security and privacy considerations
4.1. Revealing user activity to payment providers
Ingesting payment method manifests might reveal information to a payment service about the activity of an end user. For example, a payment method that is only supported on one website might allow that payment provider to discover the IP addresses of users who visit that website.
One way to mitigate this is to fetch the manifests only for the payment apps that the user has installed or has explicitly expressed interest in. This confines the risk to only sharing the user’s IP address with those parties.
Another important mitigation is already built in to the spec, by setting the appropriate referrer policy and referrer on the various fetches performed here. These
requirements ensure that only the server that controls the identifier URL will see the user’s activity, and even then will only see the origin of the web page that is creating the PaymentRequest
object (instead of seeing the full URL).
4.2. Considerations for development environments
In development situations, a user agent might lower the security requirements of this specification
to ease testing. For example, the requirements in the fetch payment method manifests and validate and parse the payment method manifest algorithms requiring a "https
" scheme might be dropped in a development environment. In such situations, the user agent is
intentionally not complying with this specification, and should notify the user of the reduced
security.
4.3. Matching payment apps
5. IANA considerations
5.1. The payment-method-manifest
link relation
This registration is for community review and will be submitted to the IESG for review, approval, and registration with IANA.
- Relation name
-
payment-method-manifest
- Description
-
Links to a payment method manifest, which describes a specific payment method within the Web Payments ecosystem.
- Reference
- Notes
-
See § 3.3 Fetching payment method manifests for the specific manner in which such links are expected to be fetched, and § 3.2 Ingesting payment method manifests for the larger context in which they are used.
Acknowledgments
§ 3 Processing model is based heavily on algorithms originally outlined by Rouslan Solomakhin.
Thanks to Andrew Betts, Anne van Kesteren, Ian Jacobs, L. David Baron, Marcos Cáceres, and Rouslan Solomakhin for their contributions to making this specification awesome!