|
616 | 616 | Promise<void> abort();
|
617 | 617 | [NewObject]
|
618 | 618 | Promise<boolean> canMakePayment();
|
| 619 | + [NewObject] |
| 620 | + Promise<boolean> hasEnrolledInstrument(); |
619 | 621 |
|
620 | 622 | readonly attribute DOMString id;
|
621 | 623 | readonly attribute PaymentAddress? shippingAddress;
|
|
1312 | 1314 | <h2>
|
1313 | 1315 | <dfn>canMakePayment()dfn> method
|
1314 | 1316 | h2>
|
| 1317 | + <div class="note" title="canMakePayment() vs hasEnrolledInstrument()"> |
| 1318 | + <p> |
| 1319 | + The <a>canMakePayment()a> method can be used by the developer to |
| 1320 | + determine if the <a>user agenta> has support for one of the |
| 1321 | + desired <a>payment methodsa>. See <a href="#canMakePayment-privacy"> |
| 1322 | + privacy considerationsa>. |
| 1323 | + p> |
| 1324 | + <p> |
| 1325 | + A true result from <a>canMakePayment()a> does not imply that the |
| 1326 | + user has a provisioned instrument ready for payment. For that, use |
| 1327 | + <a>hasEnrolledInstrument()a> instead. |
| 1328 | + p> |
| 1329 | + div> |
| 1330 | + <p data-tests="payment-request-canmakepayment-method.https.html"> |
| 1331 | + The <a>canMakePayment()a> method MUST run the <a>can make payment |
| 1332 | + algorithma> with |checkForInstruments| set to false. |
| 1333 | + p> |
| 1334 | + section> |
| 1335 | + <section data-dfn-for="PaymentRequest" data-link-for="PaymentRequest"> |
| 1336 | + <h2> |
| 1337 | + <dfn>hasEnrolledInstrument()dfn> method |
| 1338 | + h2> |
1315 | 1339 | <p class="note">
|
1316 |
| - The <a>canMakePayment()a> method can be used by the developer to |
1317 |
| - determine if the <a>PaymentRequesta> object can be used to make a |
1318 |
| - payment, before they call <a>show()a>. It returns a <a>Promisea> |
1319 |
| - that will be fulfilled with true if the <a>user agenta> supports |
1320 |
| - any of the desired <a>payment methodsa> supplied to the |
1321 |
| - <a>PaymentRequesta> constructor, and false if none are supported. |
1322 |
| - If the method is called too often, the user agent might instead |
1323 |
| - return <a>a promise rejected witha> a "<a>NotAllowedErrora>" |
1324 |
| - <a>DOMExceptiona>, at its discretion. |
| 1340 | + The <a>hasEnrolledInstrument()a> method can be used by the developer |
| 1341 | + to determine if the <a>user agenta> has support for one of the |
| 1342 | + desired <a>payment methodsa> and if a <a>payment handlera> has an |
| 1343 | + instrument ready for payment. See |
| 1344 | + <a href="#canmakepayment-protections">a>. |
1325 | 1345 | p>
|
1326 |
| - <p data-tests="payment-request-canmakepayment-method.https.html"> |
1327 |
| - The <a>canMakePayment()a> method MUST act as follows: |
| 1346 | + <p data-tests="payment-request-hasenrolledinstrument-method.https.html"> |
| 1347 | + The <a>hasEnrolledInstrument()a> method MUST run the <a>can make |
| 1348 | + payment algorithma> with |checkForInstruments| set to true. |
1328 | 1349 | p>
|
1329 |
| - <ol class="algorithm"> |
1330 |
| - <li>Let |request| be the <a>PaymentRequesta> object on which the |
1331 |
| - method was called. |
1332 |
| - li> |
1333 |
| - <li>If |request|.<a>[[\state]]a> is not "<a>createda>", then |
1334 |
| - return <a>a promise rejected witha> an "<a>InvalidStateErrora>" |
1335 |
| - <a>DOMExceptiona>. |
1336 |
| - li> |
1337 |
| - <li data-tests= |
1338 |
| - "payment-request/payment-request-canmakepayment-method-protection.https.html"> |
1339 |
| - Optionally, at the <a>top-level browsing contexta>'s discretion, |
1340 |
| - return <a>a promise rejected witha> a "<a>NotAllowedErrora>" <a> |
1341 |
| - DOMExceptiona>. As described in section <a href= |
1342 |
| - "#canmakepayment-protections">a>, the user agent may limit the |
1343 |
| - rate at which a page can call <a>canMakePayment()a>. |
1344 |
| - li> |
1345 |
| - <li>Let |hasHandlerPromise| be <a>a new promisea>. |
1346 |
| - li> |
1347 |
| - <li>Return |hasHandlerPromise|, and perform the remaining steps <a>in |
1348 |
| - parallela>. |
1349 |
| - li> |
1350 |
| - <li>For each |paymentMethod| tuple in |
1351 |
| - |request|.<a>[[\serializedMethodData]]a>: |
1352 |
| - <ol> |
1353 |
| - <li>Let |identifier| be the first element in the |paymentMethod| |
1354 |
| - tuple. |
1355 |
| - li> |
1356 |
| - <li>If the user agent has a <a>payment handlera> that supports |
1357 |
| - handling payment requests for |identifier|, resolve |
1358 |
| - |hasHandlerPromise| with true and terminate this algorithm. |
1359 |
| - li> |
1360 |
| - ol> |
1361 |
| - li> |
1362 |
| - <li>Resolve |hasHandlerPromise| with false. |
1363 |
| - li> |
1364 |
| - ol> |
1365 | 1350 | section>
|
1366 | 1351 | <section data-dfn-for="PaymentRequest" data-link-for="PaymentRequest">
|
1367 | 1352 | <h2>
|
|
4216 | 4201 | li>
|
4217 | 4202 | ol>
|
4218 | 4203 | section>
|
| 4204 | + <section> |
| 4205 | + <h2> |
| 4206 | + Can make payment algorithm |
| 4207 | + h2> |
| 4208 | + <p> |
| 4209 | + The <dfn>can make payment algorithmdfn> checks if the <a>user |
| 4210 | + agenta> supports making payment with the <a>payment methodsa> with |
| 4211 | + which the <a>PaymentRequesta> was constructed. It takes a boolean |
| 4212 | + argument, |checkForInstruments|, that specifies whether the |
| 4213 | + algorithm checks for existence of enrolled instruments in addition to |
| 4214 | + supporting a <a>payment methoda>. |
| 4215 | + p> |
| 4216 | + <ol class="algorithm"> |
| 4217 | + <li>Let |request| be the <a>PaymentRequesta> object on |
| 4218 | + which the method was called. |
| 4219 | + li> |
| 4220 | + <li>If |request|.<a>[[\state]]a> is not "<a>createda>", |
| 4221 | + then return <a>a promise rejected witha> an |
| 4222 | + "<a>InvalidStateErrora>" <a>DOMExceptiona>. |
| 4223 | + li> |
| 4224 | + <li data-tests= |
| 4225 | + "payment-request-hasenrolledinstrument-method-protection.https.html, payment-request-canmakepayment-method-protection.https.html"> |
| 4226 | + Optionally, at the <a>top-level browsing contexta>'s discretion, |
| 4227 | + return <a>a promise rejected witha> a "<a>NotAllowedErrora>" |
| 4228 | + <a>DOMExceptiona>. |
| 4229 | + <p class="note" data-link-for="PaymentRequest"> |
| 4230 | + This allows user agents to apply heuristics to detect and prevent |
| 4231 | + abuse of the calling method for fingerprinting purposes, such as |
| 4232 | + creating <a>PaymentRequesta> objects with a variety of supported |
| 4233 | + <a>payment methodsa> and triggering the <a>can make payment |
| 4234 | + algorithma> on them one after the other. For example, a user |
| 4235 | + agent may restrict the number of successful calls that can be made |
| 4236 | + based on the <a>top-level browsing contexta> or the time period |
| 4237 | + in which those calls were made. |
| 4238 | + p> |
| 4239 | + li> |
| 4240 | + <li>Let |hasHandlerPromise| be <a>a new promisea>. |
| 4241 | + li> |
| 4242 | + <li>Return |hasHandlerPromise|, and perform the remaining steps |
| 4243 | + <a>in parallela>. |
| 4244 | + li> |
| 4245 | + <li>For each |paymentMethod| tuple in |request|. |
| 4246 | + <a>[[\serializedMethodData]]a>: |
| 4247 | + <ol> |
| 4248 | + <li>Let |identifier| be the first element in the |paymentMethod| |
| 4249 | + tuple. |
| 4250 | + li> |
| 4251 | + <li>If |checkForInstruments| is false, and the user agent has a |
| 4252 | + <a>payment handlera> that supports handling payment requests for |
| 4253 | + |identifier|, resolve |hasHandlerPromise| with true and terminate |
| 4254 | + this algorithm. |
| 4255 | + li> |
| 4256 | + <li>If |checkForInstruments| is true: |
| 4257 | + <ol> |
| 4258 | + <li>Let |data| be the result of <a data-cite= |
| 4259 | + "ECMASCRIPT#sec-json.parse">JSON-parsinga> the second |
| 4260 | + element in the |paymentMethod| tuple. |
| 4261 | + li> |
| 4262 | + <li>If required by the specification that defines the |
| 4263 | + |identifier|, then <a>converta> |data| to an IDL value. |
| 4264 | + Otherwise, <a>converta> to <a>objecta>. |
| 4265 | + li> |
| 4266 | + <li>Let |handlers| be a <a>lista> of registered |
| 4267 | + <a>payment handlersa> that are authorized and can handle |
| 4268 | + payment request for |identifier|. |
| 4269 | + li> |
| 4270 | + <li>For each |handler| in |handlers|: |
| 4271 | + <ol> |
| 4272 | + <li>Let |hasEnrolledInstrument| be the result of running |
| 4273 | + |handler|'s <a>steps to check if a payment can be madea> |
| 4274 | + with |data|. |
| 4275 | + li> |
| 4276 | + <li>If |hasEnrolledInstrument| is true, resolve |
| 4277 | + |hasHandlerPromise| with true and terminate this algorithm. |
| 4278 | + li> |
| 4279 | + ol> |
| 4280 | + li> |
| 4281 | + ol> |
| 4282 | + ol> |
| 4283 | + li> |
| 4284 | + <li>Resolve |hasHandlerPromise| with false. |
| 4285 | + li> |
| 4286 | + ol> |
| 4287 | + section> |
4219 | 4288 | <section>
|
4220 | 4289 | <h2>
|
4221 | 4290 | Shipping address changed algorithm
|
|
5206 | 5275 | <code>canMakePayment()code> protections
|
5207 | 5276 | h2>
|
5208 | 5277 | <p data-link-for="PaymentRequest">
|
5209 |
| - The <a>canMakePayment()a> method enables the payee to determine — |
5210 |
| - before calling <a>show()a> — whether the user agent knows of any |
5211 |
| - <a>payment handlersa> available to the user that support the |
5212 |
| - <a>payment methodsa> provided to the <a>PaymentRequesta> |
5213 |
| - <a data-lt="PaymentRequest.PaymentRequest()">constructora>. If no |
5214 |
| - <a>payment handlersa> support the <a>payment methodsa>, this |
5215 |
| - enables the payee to fall back to a legacy checkout experience. Because |
5216 |
| - this method shares some potentially unique information with the payee, |
5217 |
| - user agents are expected to protect the user from abuse of the method. |
5218 |
| - For example, user agents can reduce user fingerprinting by: |
| 5278 | + The <a>canMakePayment()a> and <a>hasEnrolledInstrument()a> methods |
| 5279 | + have the potential to expose user information that could be abused for |
| 5280 | + fingerprinting purposes. User agents are expected to protect the user |
| 5281 | + from abuse of the method. For example, user agents can reduce user |
| 5282 | + fingerprinting by: |
5219 | 5283 | p>
|
5220 | 5284 | <ul data-link-for="PaymentRequest">
|
5221 | 5285 | <li>Allowing the user to configure the user agent to turn off
|
5222 |
| - <a>canMakePayment()a>, which would return <a>a promise rejected |
| 5286 | + <a>canMakePayment()a> and <a>hasEnrolledInstrument()a>, which would |
| 5287 | + return <a>a promise rejected |
5223 | 5288 | witha> a "<a>NotAllowedErrora>" <a>DOMExceptiona>.
|
5224 | 5289 | li>
|
5225 |
| - <li>Rate-limiting the frequency of calls to <a>canMakePayment()a> |
5226 |
| - with different parameters. |
| 5290 | + <li>Rate-limiting the frequency of calls with different parameters. |
5227 | 5291 | li>
|
5228 | 5292 | ul>
|
5229 | 5293 | <p>
|
|
0 commit comments