Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Registering preferred payment providers #12

Open
msporny opened this issue Jun 24, 2013 · 2 comments
Open

Registering preferred payment providers #12

msporny opened this issue Jun 24, 2013 · 2 comments
Assignees
@msporny
Labels
design enhancement
Milestone
Last Call

Comments

@msporny
Copy link
Member

msporny commented Jun 24, 2013

The Browser Payments spec currently requires a whitelist that is managed by the browser manufacturer to operate correctly. While this ensures that there is a curated list of vendors that are trusted by the browser manufacturer, it also prevents people from selecting a preferred payment provider. For example, there may be hundreds of PaySwarm Authorities around the world and the smaller ones will have a very hard time convincing companies like Microsoft or Apple to add them to the whitelist.

There should be a better way of managing the whitelist of preferred payment providers. Ideally, there would be an API call that a payment provider could make to ask the customer whether or not they'd like to add the site as a payment provider.
@ghost ghost assigned msporny Jun 24, 2013
@kumar303
Copy link
Member

Mozilla's main rationale for shipping with a whitelist was security. The payments window could be used for phishing if a rogue payment provider can serve content from the Trusted UI. At the end of the day, Mozilla shipped v1 with a whitelist because we ran out of time.

@msporny
Copy link
Member Author

msporny commented Jun 26, 2013

Right, so I think that the whitelist could be "easily" transitioned to something that is managed by the customer.

The biggest problem with this approach is still phishing, so we have to be very vocal about the risks in a

navigator.payments.register() call.

Something to the effect of: "Hey, you're allowing this website to manage your money - you really need to trust them. Don't allow them to become a payment provider unless you plan to deposit money with them and allow them to manage it on your behalf". The chrome is going to have to be very explicit about what's going on.

Additionally, we will also want there to be a polyfill for this feature (as well as most features). I don't know how secure that polyfill could be in the beginning, so we'd need to discuss that as well. For example, should we just run a centralized service that works with the polyfill to keep track of payment providers via browser local storage? How does this work when you're at a public terminal? Security considerations... etc.

msporny referenced this issue Jul 1, 2013
@msporny
Added registerProvider() and getProviders() API calls.
a0885d7
@kumar303 kumar303 mentioned this issue Jul 15, 2013
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@msporny msporny

Labels
design enhancement
Projects
None yet
Milestone
Last Call
Development

No branches or pull requests
2 participants
@kumar303 @msporny