Payment Method Manifest

Editor’s Draft,

More details about this document
This version:
https://w3c.github.io/payment-method-manifest/
Latest published version:
https://www.w3.org/TR/payment-method-manifest/
Feedback:
GitHub
Editors:
Dapeng Liu (Alibaba)
(Google)
(Google)
Former Editors:
Domenic Denicola (Google)
Zach Koch (Google)

Abstract

This specification defines the machine-readable manifest file, known as a payment method manifest, describing how a payment method participates in the Web Payments ecosystem, and how such files are to be used.

Status of this document

1. Introduction

This section and its sub-sections are non-normative.

1.1. Use cases

This specification intends to address the following use cases:

This is accomplished via the requirement that every payment method whose identifier is URL-based will provide a payment method manifest file in JSON format containing two key pieces of information:

1.2. Accessing the manifest

The machine-readable payment method manifest might be found either directly at the payment method identifier URL, or in a location indicated indirectly by following a HTTP `Link` header from that URL. [RFC8288]

This potential indirection allows the use of generic, human-readable URLs (such as "https://alicepay.com/") to serve as payment method identifiers, while still locating the actual payment method manifest at a different URL.

For an example payment method AlicePay, with payment method identifier "https://alicepay.com/", a user agent would issue a GET request to that payment method identifier URL as follows:

GET / HTTP/2
Host: alicepay.com
User-Agent: Mellblomenator/9000

The server could then either respond with

HTTP/2 204
Link: </pay/payment-manifest.json>; rel="payment-method-manifest"

to redirect the user agent to "https://alicepay.com/pay/payment-manifest.json", or could respond with the JSON contents of the payment method manifest directly in a 200-status response.

1.3. Example manifest file

Continuing our example from § 1.2 Accessing the manifest, the AlicePay payment method could provide the following payment method manifest file at https://alicepay.com/pay/payment-manifest.json:

{
  "default_applications": ["app/webappmanifest.json"],
  "supported_origins": [
    "https://bobpay.xyz",
    "https://alicepay.friendsofalice.example"
  ]
}

This indicates that, if the user agent does not have a payment app for AlicePay installed, it can locate one by consulting the web app manifest at "https://alicepay.com/pay/app/webappmanifest.json".

It also indicates that, apart from this default payment app, AlicePay also allows payment apps hosted at the two indicated origins to be used for AlicePay. This means that if the user agent ever encounters payment apps hosted at those origins claiming support for AlicePay, it can allow them to act as payment apps for the AlicePay payment method.

The manifest file could also omit the "supported_origins" key, if no third-party payment apps are supported for the payment method in question.

2. Manifest format

A valid payment method manifest file is a UTF-8 encoded file containing contents parseable as a JSON object. The resulting JSON object must contain at most two items, with the possible keys "default_applications" and "supported_origins".

The value of the default_applications key, if present, must be a non-empty JSON array. Each item in the array must be a valid URL string such that the resulting URL's scheme, when parsed against the URL of the payment method manifest, is "https".

The value of the supported_origins key, if present, must be a non-empty JSON array. Each item in the array must be an absolute-URL string that represents an HTTPS origin. Formally, the string must be equal to the serialization of the resulting parsed URL's origin.

Web developers must ensure that all of their payment method manifests are valid.

As with all conformance requirements on the contents of files, these are web-developer facing, and not implementer-facing. The exact processing model (given in § 3 Processing model) governs how implementers process all payment method manifest files, including invalid ones.

The following payment method manifest is not valid, but the currently-specified processing model algorithms will still accept it:
{
  "default_applications": ["app/webappmanifest.json"],
  "created_by": "Alice",
  "created_in": "Wonderland"
}

This could change in the future, for example if the processing model later expands to define a meaning for a new standard "created_by" key that requires it to be an object instead of a string. To avoid situations like this, web developers are best served by ensuring validity of their payment method manifests, and thus avoiding any unpleasant surprises.

3. Processing model

3.1. Modifications to Payment Request API

This specification integrates with the rest of the Payment Request ecosystem by modifying the PaymentRequest(methodData, details, options) constructor. It adds the following steps, before the algorithm completes and returns the newly-constructed PaymentRequest object. In what follows, let request be the PaymentRequest instance being constructed. [PAYMENT-REQUEST]

  1. Let identifiers be a list consisting of the first item of each pair in request.[[serializedMethodData]].

  2. Let client be the current settings object.

  3. Ingest payment method manifests given identifiers and client.

These steps are what kicks off the whole process. The rest of § 3 Processing model is concerned with defining how this process eventually leads to new payment apps being available for the user.

As this specification gains multi-implementer interest, we anticipate moving this section into the Payment Request API specification itself, instead of maintaining a monkeypatch here.

3.2. Ingesting payment method manifests

Given a list of payment method identifiers identifiers, as well as an environment settings object client, the user agent may run the following steps, to ingest payment method manifests:

  1. Fetch payment method manifests, given identifiers and client, and wait for this to asynchronously complete with manifestsMap. If the result is failure, return.

  2. For each identifierURL → (responseURL, manifest) of manifestsMap:

    1. Let parsed be the result of validating and parsing manifest given responseURL. If this returns failure, continue.

    2. For each webAppManifestURL in parsed’s default applications:

      1. Fetch the web app manifest at webAppManifestURL given identifierURL and client, and wait for it to asynchronously complete with webAppManifestString. If the result is failure, continue.

      2. Let webAppManifest be the result of running the steps for processing a web app manifest given webAppManifestString.

        The steps for processing a web app manifest are very forgiving and will return empty objects or objects missing crucial fields instead of failing. User agents will need to separately validate the processed web app manifest to ensure it contains enough data for their purposes in the next step.

      3. In a user-agent-specific way, use the resulting processed web app manifest webAppManifest to install any applicable payment apps for the payment method identified by identifier.

        In the future, the plan is for there to be a user-agent-independent way to use the resulting processed web app manifest, by consulting its serviceworker field and using that to install a web-based payment app conforming to the Payment Handler API specification. [PAYMENT-HANDLER]

    3. Associate the supported origins to identifier so that the user agent can use it in the future to determine what third-party payment apps can be displayed for the payment method identified by identifier.

3.3. Fetching payment method manifests

To fetch payment method manifests, given a list of JavaScript strings supportedMethods and an environment settings object client, perform the following steps. This algorithm will asynchronously complete with a map (possibly empty) from URLs to (URL, byte sequence) tuples, mapping payment method identifiers to the URL and contents of the corresponding manifest.

  1. Let identifierURLs be an empty list.

  2. For each string of supportedMethods:

    1. Let identifierURL be the result of basic URL parsing string. If the result is failure, continue.

      The result will be failure for any payment method identifier that is not a URL-based payment method identifier, i.e. for a standardized payment method identifier.

    2. If validating identifierURL returns false, continue.

    3. Optionally, continue.

      This step allows implementations to skip any of the provided payment method identifiers for user-agent-specific reasons. § 4 Security and privacy considerations discusses some reasons why user agents might prefer to only ingest certain identifiers.

    4. Append identifierURL to identifierURLs.

  3. Let manifestsMap be an empty map.

  4. For each identifierURL of identifierURLs:

    1. Let manifestURLString be null.

    2. Let identifierRequest be a new request whose method is `GET`, url is identifierURL, client is client, mode is "cors", credentials mode is "omit", redirect mode is "error", and referrer policy is "strict-origin-when-cross-origin".

    3. Let identifierFetchController be the result of fetching identifierRequest, with processResponse set to the following steps given response identifierResponse:

      1. If identifierResponse is a network error or identifierResponse’s status is not an ok status, abort these steps.

      2. Let linkHeaders be the result of extracting header list values given `Link` and identifierResponse’s header list.

      3. For each linkHeader of linkHeaders:

        1. Parse linkHeader according to the link-value production. If it cannot be parsed, continue. [RFC8288]

        2. If the parsed header contains a parameter whose name is an ASCII case-insensitive match for the string "rel" and whose value is an ASCII case-insensitive match for the string "payment-method-manifest", then set manifestURLString to the string given by the URI-Reference production in the parsed header, and break.

      4. If manifestURLString is not null, then:

        1. Terminate identifierFetchController (since the body will not be needed).

        2. Let manifestURL be the result of basic URL parsing manifestURLString with base URL given by identifierResponse’s URL. If the result is failure, then abort these steps.

        3. If manifestURL’s scheme is not "https", continue.

        4. Let manifestRequest be a new request whose URL is manifestURL, client is client, referrer is identifierResponse’s URL, mode is "cors", credentials mode is "omit", and redirect mode is "error".

        5. Fetch manifestRequest, with processResponseConsumeBody set to the following steps given manifestResponse and manifestBody:

          1. If manifestResponse’s status is not an ok status, then abort these steps.

          2. If manifestBody is null or failure, then abort these steps.

          3. Set manifestsMap[identifierURL] to (response’s URL, manifestBody).

      and with processResponseConsumeBody set to the following steps given identifierResponse and identifierBody:

      1. If manifestURLString is not null, then abort these steps.

      2. If identifierResponse’s status is not an ok status, then abort these steps.

      3. If identifierBody is null or failure, then abort these steps.

      4. Set manifestsMap[identifierURL] to (identifierResponse’s URL, identifierBody).

  5. Once all ongoing fetch algorithms initiated by the above steps are complete, including the specified processResponse and processResponseConsumeBody steps, asynchronously complete this algorithm with manifestsMap.

3.4. Validating and parsing payment method manifests

A parsed payment method manifest is a struct containing two fields:

default applications

An ordered set of URLs, possibly empty

supported origins

An ordered set of origins

To validate and parse a byte sequence bytes purporting to contain a payment method manifest, given a URL url, perform the following steps. The result will either be a parsed payment method manifest, or failure.

  1. Let string be the result of UTF-8 decoding bytes.

  2. Let parsed be the result of parsing JSON into Infra values given string. If this throws an exception, return failure.

  3. If parsed is not an ordered map, return failure.

  4. Let defaultApps be an empty ordered set.

  5. If parsed["default_applications"] exists:

    1. Let defaultAppsValue be parsed["default_applications"].

    2. If defaultAppsValue is not a list, return failure.

    3. If the size of defaultAppsValue is 0, return failure.

    4. For each defaultApp in defaultAppsValue:

      1. If defaultApp is not a string, return failure.

      2. Let defaultAppURL be the result of basic URL parsing defaultApp, given the base URL url. If the result is failure, return failure.

      3. If defaultAppURL’s scheme is not "https", return failure.

      4. Append defaultAppURL to defaultApps.

  6. Let supportedOrigins be an empty ordered set.

  7. If parsed["supported_origins"] exists:

    1. Let supportedOriginsValue be parsed["supported_origins"].

    2. If supportedOriginsValue is not a list, return failure.

    3. If the size of supportedOriginsValue is 0, return failure.

    4. For each supportedOrigin in supportedOriginsValue:

      1. If supportedOrigin is not a string, return failure.

      2. Let supportedOriginURL be the result of basic URL parsing supportedOrigin. If the result is failure, return failure.

      3. If supportedOriginURL’s scheme is not "https", return failure.

      4. If supportedOriginURL’s username or password are not the empty string, return failure.

      5. If supportedOriginURL’s path's size is not 0, return failure.

      6. If supportedOriginURL’s query or fragment are not null, return failure.

      7. Append supportedOriginURL’s origin to supportedOrigins.

  8. Return a new parsed payment method manifest with default applications given by defaultApps and supported origins given by supportedOrigins.

Empty arrays for "default_applications" or "supported_origins" will cause parsing to fail. That is, this is not a valid payment method manifest, and will be rejected by the above algorithm:
{
  "default_applications": ["https://alicepay.com/pay/app/webappmanifest.json"],
  "supported_origins": []
}

3.5. Fetching web app manifests

Because the determination of payment apps happens independent of any embedding HTML document, the procedure for obtaining a web app manifest that gives information about a default payment app is different from the usual steps for link rel="manifest".

To fetch the web app manifest for a default payment app, given a URL url, a URL referrer, and an environment settings object client, perform the following steps. This algorithm will asynchronously complete with either a scalar value string or failure.

  1. Let request be a new request whose url is url, client is client, referrer is referrer, mode is "cors", credentials mode is "omit", and redirect mode is "error".

  2. Fetch request, with processResponseConsumeBody set the following steps given response and body:

    1. If response status is not an ok status, asynchronously complete this algorithm with failure.

    2. If body is null or failure, asynchronously complete this algorithm with failure.

    3. Asynchronously complete this algorithm with the result of UTF-8 decoding body.

4. Security and privacy considerations

4.1. Revealing user activity to payment providers

Ingesting payment method manifests might reveal information to a payment service about the activity of an end user. For example, a payment method that is only supported on one website might allow that payment provider to discover the IP addresses of users who visit that website.

One way to mitigate this is to fetch the manifests only for the payment apps that the user has installed or has explicitly expressed interest in. This confines the risk to only sharing the user’s IP address with those parties.

Another important mitigation is already built in to the spec, by setting the appropriate referrer policy and referrer on the various fetches performed here. These requirements ensure that only the server that controls the identifier URL will see the user’s activity, and even then will only see the origin of the web page that is creating the PaymentRequest object (instead of seeing the full URL).

4.2. Considerations for development environments

In development situations, a user agent might lower the security requirements of this specification to ease testing. For example, the requirements in the fetch payment method manifests and validate and parse the payment method manifest algorithms requiring a "https" scheme might be dropped in a development environment. In such situations, the user agent is intentionally not complying with this specification, and should notify the user of the reduced security.

4.3. Matching payment apps

w3c/payment-method-manifest/11Matching payment apps and security in a world of payment method manifests

5. IANA considerations

This registration is for community review and will be submitted to the IESG for review, approval, and registration with IANA.

Relation name

payment-method-manifest

Description

Links to a payment method manifest, which describes a specific payment method within the Web Payments ecosystem.

Reference

https://w3c.github.io/payment-method-manifest/

Notes

See § 3.3 Fetching payment method manifests for the specific manner in which such links are expected to be fetched, and § 3.2 Ingesting payment method manifests for the larger context in which they are used.

Acknowledgments

§ 3 Processing model is based heavily on algorithms originally outlined by Rouslan Solomakhin.

Thanks to Andrew Betts, Anne van Kesteren, Ian Jacobs, L. David Baron, Marcos Cáceres, and Rouslan Solomakhin for their contributions to making this specification awesome!

Conformance

Document conventions

Conformance requirements are expressed with a combination of descriptive assertions and RFC 2119 terminology. The key words “MUST”, “MUST NOT”, “REQUIRED”, “SHALL”, “SHALL NOT”, “SHOULD”, “SHOULD NOT”, “RECOMMENDED”, “MAY”, and “OPTIONAL” in the normative parts of this document are to be interpreted as described in RFC 2119. However, for readability, these words do not appear in all uppercase letters in this specification.

All of the text of this specification is normative except sections explicitly marked as non-normative, examples, and notes. [RFC2119]

Examples in this specification are introduced with the words “for example” or are set apart from the normative text with class="example", like this:

This is an example of an informative example.

Informative notes begin with the word “Note” and are set apart from the normative text with class="note", like this:

Note, this is an informative note.

Conformant Algorithms

Requirements phrased in the imperative as part of algorithms (such as "strip any leading space characters" or "return false and abort these steps") are to be interpreted with the meaning of the key word ("must", "should", "may", etc) used in introducing the algorithm.

Conformance requirements phrased as algorithms or specific steps can be implemented in any manner, so long as the end result is equivalent. In particular, the algorithms defined in this specification are intended to be easy to understand and are not intended to be performant. Implementers are encouraged to optimize.

Index

Terms defined by this specification

Terms defined by reference

References

Normative References

[APPMANIFEST]
Marcos Caceres; et al. Web Application Manifest. URL: https://w3c.github.io/manifest/
[ENCODING]
Anne van Kesteren. Encoding Standard. Living Standard. URL: https://encoding.spec.whatwg.org/
[FETCH]
Anne van Kesteren. Fetch Standard. Living Standard. URL: https://fetch.spec.whatwg.org/
[HTML]
Anne van Kesteren; et al. HTML Standard. Living Standard. URL: https://html.spec.whatwg.org/multipage/
[INFRA]
Anne van Kesteren; Domenic Denicola. Infra Standard. Living Standard. URL: https://infra.spec.whatwg.org/
[PAYMENT-METHOD-ID]
Marcos Caceres. Payment Method Identifiers. URL: https://w3c.github.io/payment-method-id/
[PAYMENT-REQUEST]
Marcos Caceres; Rouslan Solomakhin; Ian Jacobs. Payment Request API. URL: https://w3c.github.io/payment-request/
[RFC2119]
S. Bradner. Key words for use in RFCs to Indicate Requirement Levels. March 1997. Best Current Practice. URL: https://datatracker.ietf.org/doc/html/rfc2119
[RFC8288]
M. Nottingham. Web Linking. October 2017. Proposed Standard. URL: https://httpwg.org/specs/rfc8288.html
[URL]
Anne van Kesteren. URL Standard. Living Standard. URL: https://url.spec.whatwg.org/

Informative References

[PAYMENT-HANDLER]
Adrian Hope-Bailie; et al. Payment Handler API. URL: https://w3c.github.io/payment-handler/