Integration of Secure Payment Confirmation

[ianbjacobs]

Description

This pull request supersedes pull request 28705 based on discussion for how best to structure the integration of Secure Payment Confirmation (SPC).

Motivation

SPC is already shipping in several browsers and should be documented on MDN.

Additional details

Related issues and pull requests

Relates to #421.

cc @wbamberg, @stephenmcgruer, @mountainhippo

[ianbjacobs]

Hi @wbamberg! Here's my first pass at integrating as we discussed on #28705; I am sure edits will be needed and look forward to your review.

[github-actions]

Remaining comments which cannot be posted as a review comment to avoid GitHub Rate Limit

mdn-linter

files/en-us/web/api/securepaymentconfirmationrequest/index.md|37|
files/en-us/web/api/securepaymentconfirmationrequest/index.md|42|
files/en-us/web/api/securepaymentconfirmationrequest/index.md|45|
files/en-us/web/api/securepaymentconfirmationrequest/index.md|50|
files/en-us/web/api/securepaymentconfirmationrequest/index.md|56|
files/en-us/web/api/securepaymentconfirmationrequest/index.md|60 col 1|

[github-actions]

[mdn-linter] _{reported by reviewdog 🐶}

Suggested change

	- : The [standardized payment method dentifier](https://www.w3.org/TR/payment-method-id/#registry)
	- : The [standardized payment method dentifier](https://www.w3.org/TR/payment-method-id/#registry)

[github-actions]

[mdn-linter] _{reported by reviewdog 🐶}

Suggested change

for [Secure Payment Confirmation](https://w3c.github.io/secure-payment-confirmation) is "secure-payment-confirmation". The Payment Request data for this payment is defined by the [SecurePaymentConfirmationRequest dictionary](/en-US/docs/Web/API/SecurePaymentConfirmationRequest). For more information see [Using Payment Request API for Secure Payment Confirmation](/en-US/docs/Web/API/Payment_Request_API/Using_with_Secure_Payment_Confirmation).

for [Secure Payment Confirmation](https://w3c.github.io/secure-payment-confirmation) is "secure-payment-confirmation". The Payment Request data for this payment is defined by the [SecurePaymentConfirmationRequest dictionary](/en-US/docs/Web/API/SecurePaymentConfirmationRequest). For more information see [Using Payment Request API for Secure Payment Confirmation](/en-US/docs/Web/API/Payment_Request_API/Using_with_Secure_Payment_Confirmation).

[github-actions]

[mdn-linter] _{reported by reviewdog 🐶}

Suggested change

	- `challenge`
	- : A random [challenge](/en-US/docs/Web/API/CredentialsContainer/create#challenge) that the relying party generates on the server side
	to prevent replay attacks.
	- `rpId`
	- : The [Relying Party Identifier](/en-US/docs/Web/API/CredentialsContainer/get#rpid) of the credentials.
	- `challenge`
	- : A random [challenge](/en-US/docs/Web/API/CredentialsContainer/create#challenge) that the relying party generates on the server side
	to prevent replay attacks.

[github-actions]

[mdn-linter] _{reported by reviewdog 🐶}

Suggested change

	- `credentialIds`
	- : The list of credential identifiers for the given instrument.
	- `rpId`
	- : The [Relying Party Identifier](/en-US/docs/Web/API/CredentialsContainer/get#rpid) of the credentials.

[github-actions]

[mdn-linter] _{reported by reviewdog 🐶}

Suggested change

	- `instrument`
	- : The description of the instrument name and icon to display during
	registration and to be signed along with the transaction details.
	- `credentialIds`
	- : The list of credential identifiers for the given instrument.

[github-actions]

[mdn-linter] _{reported by reviewdog 🐶}

Suggested change

	- `timeout`
	- : The number of milliseconds before the request to sign the transaction
	details times out. At most 1 hour.
	- `instrument`
	- : The description of the instrument name and icon to display during
	registration and to be signed along with the transaction details.

[github-actions]

[mdn-linter] _{reported by reviewdog 🐶}

Suggested change

	- `payeeName`
	- : The display name of the payee that this SPC call is for (e.g., the
	merchant). Optional, may be provided alongside or instead of
	payeeOrigin.
	- `timeout`
	- : The number of milliseconds before the request to sign the transaction
	details times out. At most 1 hour.

[github-actions]

[markdownlint] _{reported by reviewdog 🐶}
MD041/first-line-heading/first-line-h1 First line in a file should be a top-level heading [Context: ---]

[github-actions]

[mdn-linter] _{reported by reviewdog 🐶}

Suggested change

	- `payeeOrigin`
	- : The [=/origin=] of the payee that this SPC call is for (e.g., the
	merchant). Optional, may be provided alongside or instead of
	payeeName.
	- `payeeName`
	- : The display name of the payee that this SPC call is for (e.g., the
	merchant). Optional, may be provided alongside or instead of
	payeeOrigin.

[github-actions]

[mdn-linter] _{reported by reviewdog 🐶}

Suggested change

	- `extensions`
	- : Any [WebAuthn extensions](/en-US/docs/Web/API/Web_Authentication_API/WebAuthn_extensions) that should be used for the passed credential(s). The caller does not need to specify the [payment extension](/en-US/docs/Web/API/Web_Authentication_API/WebAuthn_extensions#payment); it is added automatically.
	- `payeeOrigin`
	- : The [=/origin=] of the payee that this SPC call is for (e.g., the
	merchant). Optional, may be provided alongside or instead of
	payeeName.

[github-actions]

[mdn-linter] _{reported by reviewdog 🐶}

Suggested change

	- `locale`
	- : An optional list of well-formed {{RFC(5646, "Tags for Identifying Languages (also known as BCP 47)")}} language tags, in descending
	order of priority, that identify the local preferences of the
	website, i.e. a language priority list {{RFC(4647, "Matching of Language Tags")}}, which the user agent can use to perform [language negotiation](/en-US/docs/Web/HTTP/Content_negotiation) and locale-affected formatting with the caller.
	- `extensions`
	- : Any [WebAuthn extensions](/en-US/docs/Web/API/Web_Authentication_API/WebAuthn_extensions) that should be used for the passed credential(s). The caller does not need to specify the [payment extension](/en-US/docs/Web/API/Web_Authentication_API/WebAuthn_extensions#payment); it is added automatically.

[github-actions]

[mdn-linter] _{reported by reviewdog 🐶}

Suggested change

	NOTE: The locale is distinct from
	language or direction metadata associated with specific input
	members, in that it represents the caller's requested localized
	experience rather than assertion about a specific string value.
	See [SPC internationalization Considerations](https://w3c.github.io/secure-payment-confirmation/#sctn-i18n-considerations) for more discussion.
	- `locale`
	- : An optional list of well-formed {{RFC(5646, "Tags for Identifying Languages (also known as BCP 47)")}} language tags, in descending
	order of priority, that identify the local preferences of the
	website, i.e. a language priority list {{RFC(4647, "Matching of Language Tags")}}, which the user agent can use to perform [language negotiation](/en-US/docs/Web/HTTP/Content_negotiation) and locale-affected formatting with the caller.

[github-actions]

[mdn-linter] _{reported by reviewdog 🐶}

Suggested change

	- `showOptOut`
	- : Whether the user should be given a chance to opt-out during the
	[transaction confirmation UX](https://w3c.github.io/secure-payment-confirmation/#sctn-transaction-confirmation-ux). Optional, default false.
	NOTE: The locale is distinct from
	language or direction metadata associated with specific input
	members, in that it represents the caller's requested localized
	experience rather than assertion about a specific string value.
	See [SPC internationalization Considerations](https://w3c.github.io/secure-payment-confirmation/#sctn-i18n-considerations) for more discussion.

[github-actions]

[mdn-linter] _{reported by reviewdog 🐶}

Suggested change

To protect against online payment fraud, it is common to authenticate the account holder. Strong authentication lowers the risk of fraud, but increases the likelihood that friction during checkout will lead to shopping cart abandonment. Banks, merchants, payment services providers, and other entities in a payments ecosystem therefore consider a number of factors when deciding what type and strength of authentication to use for each transaction, including the amount, the items being purchased, the user's payment history, which party bears liability in the case of fraud, and regulatory requirements (such as [European Payment Services Directive 2](https://en.wikipedia.org/wiki/Payment_Services_Directive#Revised_Directive_on_Payment_Services_(PSD2)) requirements for strong customer authentication and evidence of user consent).

To protect against online payment fraud, it is common to authenticate the account holder. Strong authentication lowers the risk of fraud, but increases the likelihood that friction during checkout will lead to shopping cart abandonment. Banks, merchants, payment services providers, and other entities in a payments ecosystem therefore consider a number of factors when deciding what type and strength of authentication to use for each transaction, including the amount, the items being purchased, the user's payment history, which party bears liability in the case of fraud, and regulatory requirements (such as [European Payment Services Directive 2](<https://en.wikipedia.org/wiki/Payment_Services_Directive#Revised_Directive_on_Payment_Services_(PSD2)>) requirements for strong customer authentication and evidence of user consent).

[ianbjacobs]

@wbamberg, thanks for all the great suggestions. I think I have integrated them (including a directory name change).

@stephenmcgruer, there was a question about whether there is a default value for "timeout." I looked at the WebAuthn spec [1] which does not specify a default. Should we say nothing? Should we say the timeout is implementation dependent? Something else? Thanks!

[1] https://www.w3.org/TR/webauthn-2/#dom-publickeycredentialcreationoptions-timeout

[wbamberg]

Thank you for the updates, @ianbjacobs , I reckon this is great. I'll merge this now and if we get an answer about the timeout default value, we can file a follow-up.

[ianbjacobs]

WHOHOO! Thank you @wbamberg, it's been a pleasure. I really appreciate all the time you devoted to making this happen!

[stephenmcgruer]

@stephenmcgruer, there was a question about whether there is a default value for "timeout." I looked at the WebAuthn spec [1] which does not specify a default. Should we say nothing? Should we say the timeout is implementation dependent? Something else? Thanks!

There is a suggested default in the WebAuthn spec - https://www.w3.org/TR/webauthn-2/#ref-for-dom-publickeycredentialcreationoptions-timeout . So could reference that, or could say its implementation dependent (which it is).

[ianbjacobs]

I now see that the Web Authentication documentation on MDN about timeout is here:
https://developer.mozilla.org/en-US/docs/Web/API/CredentialsContainer/create#timeout

So another option is to reference that definition. However, that definition does not indicate a default.

My preference at this point is to refer to the Web Authentication specification. Stephen, should we also refer to the Web Authentication specification from the SPC definition of timeout?

[stephenmcgruer]

Stephen, should we also refer to the Web Authentication specification from the SPC definition of timeout?

I would happily review a PR to do so. :)

[ianbjacobs]

So let it be written, so let it be done:
w3c/secure-payment-confirmation#265