Payment app identifier to manifest filename mapping #48
Comments
I believe that the decision to serve |
|
As explained by Rouslan, I do not see there is a big problem for fixed manifest file name currently. |
|
I want to note here that the same issue is being discussed about payment method identifiers. I think we are likely to resolve the issue first about PMIs then should apply that to payment app identifiers. Ian |
|
@ianbjacobs - actually I think we can close this issue because the current plan is to have a single manifest (the URL of which is a PMI, or derived from a PMI) and the properties of the default app for that method will be in that manifest. i.e. There is no "payment app manifest" there is a "payments manifest" which describes the payment method and optionally payment apps for that method. @rsolomakhin @maxpassion Am I correct? |
|
My understanding is that for some payment methods, there is a desire to include payment app info in the payment manifest. My understanding is also that for other payment methods (e.g., basic card) we are not likely to have a payment method manifest but will still want payment app manifests on the Web. |
|
You are both correct. |
|
NOTE ON TERMINOLOGY To summarize, I believe we have consensus that we need to:
This issue addresses a 5th requirement which you have raised and @rsolomakhin agrees is a requirement, namely the need to:
I think that before we do this we need to finalize what the Payment App Identifier will look like because there are some questions I'm not sure we've answered:
I believe that requirements 2 - 4 are in the scope of the Payment Method Identifier specification and are being worked on by @maxpassion in parallel to the other work being done on the PMI spec (per resolution on the call yesterday) I believe that 1 and 5 are in the scope of the Payment Apps API specification and should be on the TODO list of the Payment Apps task force. @ianbjacobs , @rsolomakhin , @maxpassion Do we agree? |
|
All this seems right, thank you for writing it up. |
I did raise a concern about this in the previous payment apps task force meeting, in the context of merchant-recommended payment apps. The current spec says that these should be provided by means of the Payment App Identifier, but that only works if you can find the manifest file based on the PAI. If we use the scope of the ServiceWorker for the PAI, that's not the case. It is still possible to use the ServiceWorker scope as the PAI, but then the merchant needs to recommend apps by means of the url to the manifest file instead of the PAI (and we need to change section 4.4 to say this). |
Can you explain why? |
Well, I'm not an expert on ServiceWorkers, but from what @jakearchibald says here, it seems that the scope can be set relatively independently of the location of the service worker .js file. That means that we can't derive the location of the .js from the scope url. |
|
Right, but we can define some restrictions that make this easier to standardize I'd think.
So the following would work together:
The implications of this are:
|
|
Agreed with everything here except the native app standardization bit. Let's say, "Browsers need to define a mechanism for native payment apps to register themselves," and leave it at that. Would that be OK? |
|
We need to think carefully about this because we are hitting the issue I raised before with @jakearchibald and @marcoscaceres about the browser not being able to get information about the payment app without actually installing the ServiceWorker. This was the use case I was trying to explain (badly) on the Manifest issue list and I think we haven't solved it yet. Is it practical for the browser to fetch the Or are we better off deriving a manifest file URL from the payment app identifier and having the URL of the This would mean the ServiceWorker
This also solves the native app issue somewhat because the manifest can define where to get a native app in some browser defined way (already proposed in the Manifest spec btw). |
+1 |
|
Is there somewhere I can read up on why a separate payment app js file is needed? I thought we decided that reinventing things like service worker is a bad idea? |
|
I think the payment app js file mentioned above, is actually the service worker js file. |
|
I'm struggling to get a handle on this issue while all the specs are in flux. Is there an example somewhere of how this pieces together, end-to-end. FWIW, this could go in an Specifically, how are things expected to work (or not work) when the payment provider "foo" is supported by a shop, but it's not one of the stored "user agent-based payment app"s? |
|
Hi @jakearchibald, Section 4 intends to give the overall story (with some design rationale in there as well): That's different from a concrete example or two, which I agree would be useful. We'll talk about that in the task force. Regarding your question:
I'd like to rewrite your question in the terms of the spec: what happens when a payee accepts the "foo" payment method but the user does not have any registered payment apps that support that payment method? A couple of things might happen:
Does that help? Ian |
|
This won't help with your specific question about what happens when a user doesn't have a Payment App (or anything in particular about manifests), but in case you haven't seen it, there is a Web Payments Overview document if you want to get a high-level view of how everything fits together end-to-end: |
|
Thanks! I think I now know enough to have a go at writing… something. A "user agent-based payment app" should be registered via a service worker (unless there's good reason to do something else), as this is how it's done with every other sw-based API. Is there consensus on this? For "recommended payment apps" that aren't yet registered, you need some way to install a service worker for the recommended app should the user choose to use it. Providing a link to the payment app's manifest is one way of doing this, especially now it now supports service worker registration details w3c/manifest#507. Aside, but kinda what this issue is about: I strongly recommend against magic when it comes to determining the location of the manifest. Payees should just link to the manifest. Service workers have magic around the scopes they can control (due to legacy sites that ignore SOP), and it's a pain in the arse. It's really tough for devs to make sense of it & debug. The magic is a compromise, not a feature. The way payment apps are presented to the user is super sensitive, and something that should be thought about when designing the API. I'd only recommend showing data from the manifest if the user has already seen it and "accepted" it in the context of the origin that owns the manifest. Eg, if you display: …to the user, where "Paypal icon" and "Paypal" are from the manifest, and "evil.com" is determined by the manifest URL, the details from the manifest only serve to weaken security - the important and reliable data is "evil.com". Therefore, for recommended payment apps that aren't registered as a "user agent-based payment app", I'm not sure it's wise to show anything from the manifest other than its origin. (You might be able to add the manifest's scope to the end of the origin, since that'd help with origins that have many manifests, but it should be done really carefully.) For recommended payment apps that are also a registered "user agent-based payment app", you can show manifest details if the user has already accepted them. As in, they've been on the origin in question, and a permission dialog has appeared asking if this origin can become a payment app, and it shows the user how this payment app will be presented to them later. Hopefully they'd see the mismatch between evil.com and the paypal icon at this point. This is one of the reasons we don't let added-to-homescreen websites update their name & icon, we don't want them changing to something misleading without the user's observation. If you agree with the above, the only safe way for a user to adopt a payment provider is to accept a permission from the origin. Therefore, a recommended payment app doesn't need to be any more than a link. The link, when opened, would show details of its choosing, install its service worker, and ask for permission to be a payment app, as above. Once this is done it could signal completion somehow (sorry that's a bit hand-wavy, but I guess there'll be something similar in place for when the payment app needs to show UI for login & confirmation). I haven't been keeping up with this repo, so apologies if this post is retreading old ground or is simply… wrong. |
Yes, that's how the work has been proceeding and it's my understanding that there's consensus on it. I'll let others respond in more detail to your comments on displaying/getting recommended apps installed (I think you've got the right idea in general though), but I did want to say ...
I believe this may be related to whatever we come up with in #73, so I wanted to link to it. |
I would say yes. We are still working out the details, but this is definitely the direction.
Ok
Agreed. I chatted about user consent yesterday with @marcoscaceres ; stay tuned for a proposal.
That's what we discussed yesterday. (That's not explicit in the spec, so this will be a good fix.) Thanks for the suggestions. I am looking forward to the proposal from @marcoscaceres, which I think will address a number of issues:
Ian |
To clarify, I think the API should handle full URLs, so an origin can have many payment apps, but when presenting them to the user the origin is the security-important part. |
|
You wrote:
We are working on a spec that defines a manifest file for payment methods. But as of right now we do not, for Web-based payment apps, require a manifest file for payment apps. (If I understand were @marcoscaceres is thinking the spec should go, there may be even less The current spec says that payees link to service worker code (through a "payment app identifier"). Ian |
|
The "scope" of the service worker is its primary key. So if you're trying to identify a particular active service worker on another origin, the "scope" is the thing to use. My blog has a service worker at https://jakearchibald.com/sw.js, but the scope of the service worker is https://jakearchibald.com/. |
|
Does using the scope limit us to being able to identify one payment app per origin? Ian |
|
Nope. For instance: https://jakearchibald.github.io/svgomg/sw.js has scope https://jakearchibald.github.io/svgomg/ A single service worker registration can change its script url throughout its life, but its scope cannot change. |
|
Thank you for the example (and patience as I learn about these "Web things") Ian |
Hooray! Another reason it is great to have @marcoscaceres involved in this.
This is the point I have been trying make 😄 (See #48 (comment)) Web-based payment apps ARE service workers, therefor we should identify a web based payment app the same way a Service Worker is identified (using the scope URL). Can we agree that the thing we are calling the Payment App Identifier must be the scope of the service worker? The challenge now is providing some sort of discovery mechanism to the browser for recommended payment apps. If the payee simply gives the browser a list of Payment App Identifiers (scope URLs) then the browser is able to determine if the apps are already installed or not and for those that are it has meta-info like the icon and label. But, for all of the apps that are not installed the browser can't go any further. i.e. a GET on the URL will return an undefined result. My compromise was to define a convention for the relative location of either the Service Worker script ( In this case the browser can at least know where to go to install the service worker. Without this, it is stuck. The advantage of pointing to a manifest file is that the browser can get information about the app without executing the service worker registration logic. The alternative is that for each recommended payment app the merchant supplies both the payment app identifier (scope URL) and a URL to the manifest or service worker script. So the recommended apps data in the payment request might look something like this: 1. Do we prefer a convention for a relative URL (assuming we will still decide if that should apply to script or manifest file or both)? I think that the security issue @jakearchibald raises about the security risk introduced if the app provides a logo and label, is very important. We've come up against this "How do we verify an apps integrity?" question multiple times and I don't know if we have a good answer. Presenting the user with a list of URLs as "recommended payment apps" seems like a non-starter, no? |
👍 Some more evidence that recommended payment apps are adding complexity that we are perhaps not ready for in v1: #92 (comment) |
|
It seems that presenting to the user a combination of icon/name/domain would serve the purpose of giving the user the information they need to make a decision (domain), while allowing for some degree of branding (which seems to be important here). |
|
@adamroach the security concern is, who provides the icon and label? If I have never installed a payment app from my bank and then I see their name and logo appear under an origin that is similar (but not the same) as theirs I am very likely to select that app and run through the registration process which may include providing all my online banking login details. |
|
Like I said #48 (comment) The icon and label as provided by the manifest only serve to weaken security. Given the function (payment) this should be taken a lot more seriously. |
You're not alone on that one, @adrianhopebailie. +1 for dropping recommended apps entirely for three reasons 1) implementation complexity, 2) security concerns, 3) it will lead to a skewed playing field (skewed toward major payment app providers). |
|
This is a helpful discussion, thanks everyone. I'll bring the security issue to the task force for discussion this week or next. Given that we have heard there is interest in this feature, we'll continue to try to work through these issues. Ian |
|
@jakearchibald -- It's not that I don't take security seriously; it's just that you haven't outlined any threat that the proposed approaches actually make worse; or, if you have, you haven't described how it does so. Let's back up. The state of the art today is that a malicious or hacked merchantsite.com could contain a "Check out with Paypal"-branded button on their site, with the button linking to a "checkout flow" on evil.com. Keeping that in mind, describe a scenario that the proposed "Recommended Payment" functionality enables that isn't currently possible. Start with the user clicking on "buy," and describe the steps that take place up to the point that money leaves that user's possession and enters the hands of someone they did not desire to pay. |
|
Browser security is built around the idea that there are parts of the UI under the site's control, and therefore to be trusted as much as you trust the site, and parts that are under the browser's control, and to be trusted as much as you trust the browser. For instance, if the site says "I am secure" - you trust this less than if the browser says "this site is secure". What we're talking about is a new UI flow, where multiple origins are represented in the same space, controlled by the browser. This thread seems to be suggesting that the current origin would get to choose which origins appear here, and those origins would control how they appear (text & icon). So now we're mixing the model up. Origins are being presented to the user, by the browser, for the first time, on their terms. It will appear like my browser (not the site) is suggesting I use "PayPal", but it is in fact evil.com pretending to be PayPal. Given that we do not allow origin-controlled text into permission prompts, I'm not sure we should be ok with this. |
As I've been pointing out in my comments (#48 (comment)), I'm not party to the internal discussion of this group, so I'm trying to piece things together from what I can find on specs & on GitHub. I keep asking how this data is going to be used, and what the flow is for a recommended payment app. If this group has already shown that browser UI can be used to show recommended payment apps in a safe & beneficial way, I'd love to see it! Sorry I haven't been able to find it myself. Pointing me to the existing evidence seems more productive than me guessing and being told I'm right/wrong 😄. |
Now, getting back to that original question: "Why would the merchant recommend a payment app that would steal the user's money?" This seems like a silly thing to do, especially because now the merchant will never get that money. However, if "there's no present day incentive for this attack" is the reasoning for deviating from the existing browser security model, I don't think it's a strong argument. For example, imagine a future where:
|
|
All of this depends on the intended user flow. If recommended payment apps can be registered via a special payments browser UI, there's a security concern as we're adding an origin level permission without ever showing the user the origin. If the browser simply links to the other origin so it can install and present permission prompts, then it's really just a link, and I don't see why this should sit in trusted browser UI. It risks looking like a browser endorsement, whereas a link on a page doesn't. But again, I'm just guessing because no one's detailing how this API is supposed to work in a secure way. 😢 |
I don't think anyone would be against showing the origin of the recommended payment app along with the icon and label. If we prominently display the origin of each recommended payment app, does that take care of your security concerns, or is there more to it? If you feel that the description in the current specification, on the subject of recommended payment apps, is a bit thin, then you're absolutely right. The reason for this is that we are in the middle of figuring out how everything is supposed to work. We have identified that there is a desire/need for something like recommended payment apps, but the fine details are left to be discussed. The good news is that we're discussing it right now, and I think we're getting somewhere 😄 |
Like I said earlier in the thread, in this case the label and icon only serve to weaken security as they're in control of the origin which aims to earn these permissions. This will be happening in a new browser-owned API, which users traditionally trust, and it seems we're talking about breaking/blurring that model.
Well, kinda. My major frustration with this thread is that it keeps descending into "How can we fetch a manifest?", but the steps need to be:
If "What should the flow be?" shows that we cannot use data provided by the other origin for security reasons, then that changes the next two steps considerably. I've pointed this out here #48 (comment) and here #48 (comment) and here #48 (comment) and here #48 (comment) and here #48 (comment) and here #48 (comment) but as you can see there's still further discussion around manifests and link headers. One of the champions for "presenting previously unvisited payments apps" needs to show a secure user flow for this feature, then we can start discussing APIs to make it work. If a secure user flow cannot be presented, this issue is dead. |
|
"One of the champions for "presenting previously unvisited payments apps" needs to show a secure user flow for this feature, then we can start discussing APIs to make it work." Agreed that we should address that first. It's on the task force's agenda today. Ian |
Was this discussed in the task force meeting? I can't find anything about this in the minutes. If no one else is on top of this, I can take a stab at showing this user flow. |
|
Hi @tommythorsen, We did not have time to cover it at this week's call. I think there was a sense that we should continue discussion on some of these issues on GitHub. Ian |
|
@ianbjacobs and @jakearchibald Based on our discussions so far, recommendations here are done by means of a url only. Icon and label are fetched from the payment app web server instead of being provided by the merchant. What do you think? |
|
@tommythorsen thanks for putting this together! With "what we don't want" - I'm not sure you'd ever show this. The page would be able to detect "no matching payment methods" and show links to supported methods. The above would solve my issues with "A much better experience". Currently the browser is presenting a link of the merchant's choosing, along with a title & icon of the payment app's choosing. I'm really worried this will look like endorsement from the browser, and the title and icon is distracting from the security-sensitive part. I'm not sure "The merchant recommends…" is enough to overcome this. "Installing the payment app" is problematic because (I assume) it'll involve a browser permission while you're showing two different origins on the screen. I think we bypass a lot of the security complication if we allow the merchant to detect "no payment apps available", and they just show some links on a page, which are already well-understood by users in terms of who's offering the links, and who controls the content. Because it's a link, there'll be nothing new happening when the payment app requests permission. |
I'm not sure what you mean here. Do you suggest that the browser should know about every payment method in the world and suggest an appropriate payment app? For the most common ones like Visa, PayPal etc., this is feasible, but there's an incredible amount of existing payment methods around the world. I would prefer if the browser did not have to care about these individual payment apps. Having the merchant (who needs to care about the individual payment methods anyway) provide links to payment apps makes much more sense to me.
The screens on that page are mockups, they are not supposed to be the final UI design. Security issues like this one can be easily addressed by minor tweaks, such as making the the payment dialog full screen in this case.
Sure, but by letting the merchant query for this information, we provide a vector for fingerprinting. Judging by the ruckus around the Battery Status API, it feels like we should step carefully here. This might be an area where you have more expertise than me, though. Do you think, @jakearchibald, that there is a way for us to provide this "no payment apps available" information without exposing 1) information that can be used for fingerprinting, and 2) sensitive information about the user? |
Of course not 😄. I said "The page" not "The browser".
That's what I'm saying. Why are we using privileged browser UI to show links when pages can already do it in a less security-sensitive and user-familiar way?
Right, but at that point we're no better than
https://w3c.github.io/browser-payment-api/#show-method already rejects with a particular error if no supported payment apps are available. A site could use this as a trigger to display a list of recommendations. If this is a fingerprinting issue, I guess we need to take it up with that spec. FWIW, fingerprinting is kinda possible with your proposal too. If |
😄 I seem to have misread you.
Yeah, this would probably work even without any further changes. One approach that might be sufficient, at least for version 1 of the specification, could be to figure out the best way for a merchant to use the existing behavior of the payment request api to implement recommendations on his web page, and then produce some really good examples that shows the best practices. I don't think there's a fingerprinting issue with the |
|
The more I think about it, the more I lean towards following @jakearchibald's advice and ditch the Recommended Payment Apps, at least from the first version of the specification. Pros:
Cons
This con is not insignificant, but I think it can be remedied to some extent by providing really good examples and best practices that the implementers of merchant pages can make use of. At the end of the day, it could be that merchants will be more happy with this approach, as it gives them more control. If we choose to go in this direction, do we even need a Payment App Identifier for anything? Maybe we could just drop the whole concept. I don't think we really need a manifest file either. |
|
I'm also in favor of the below.
… On 3 Feb 2017, at 9:28 pm, Tommy Thorsen ***@***.***> wrote:
The more I think about it, the more I lean towards following @jakearchibald's advice and ditch the Recommended Payment Apps, at least from the first version of the specification.
Pros:
Simpler to specify
Simpler for the mediator to implement
Avoids security issues with showing untrusted elements in trusted browser UI
Lets merchants present recommendations in whichever way they desire
Cons
More work for the merchants who want to implement app recommendations
This con is not insignificant, but I think it can be remedied to some extent by providing really good examples and best practices that the implementers of merchant pages can make use of. At the end of the day, it could be that merchants will be more happy with this approach, as it gives them more control.
If we choose to go in this direction, do we even need a Payment App Identifier for anything? Maybe we could just drop the whole concept. I don't think we really need a manifest file either.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub, or mute the thread.
|
|
I observe only lukewarm support for merchant-recommended payment apps in V1 of the specification. A modified version of the proposal is this:
Any thoughts on this reduced approach that still allows merchants to provide some preference information? Ian |
|
@ianbjacobs if you want a reduced approach, my proposal above would fit that bill. The only thing the merchant provides to recommend an app, is a url to a web page where the user can install the payment app. I would still vote for leaving this out of V1, since it is possible for the merchants to implement recommendations fairly easily without this. I can try some time next week to actually implement this in my test merchant page, to see how hard it is to do. |
|
I'd prefer the recommendation stuff be incubated in a separate spec. |
|
I am closing this issue because:
Therefore, the original question of this issue is now moot. Ian |
Let's figure out how to map payment app identifier (e.g.,
https://alipay.com/some/path) to the manifest filename (e.g.,https://alipay.com/some/path/payment-manifest.json). I prefer fixed filename because of simplicity for both user agent implementers and payment app writers.@adrianhopebailie wrote:
Favicon is indeed not ideal design, because user agents try to download
https://example.com/favicon.icowhen the user wants to seehttps://example.com/some/path/to/resource. We've all been annoyed at seeing404 /favicon.icoin our server logs.However, I believe that I'm proposing something more similar to
index.htmlpattern, i.e., user is pointing their user agent tohttps://example.com/some/path/to/resourcebut sees the contents ofhttps://example.com/some/path/to/resource/index.htmlinstead.The user agent will dereference
https://alipay.com/some/path/payment-manifest.jsononly when a merchant wants to usehttps://alipay.com/some/pathfor payments. Therefore, there should be no spurious404 /some/path/payment-manifest.jsonin server logs.The text was updated successfully, but these errors were encountered: