Add support for merchant validation (#751)

Author: marcoscaceres

index.html

@@ -586,6 +586,7 @@ 
           readonly attribute DOMString? shippingOption;
           readonly attribute PaymentShippingType? shippingType;
 
+          attribute EventHandler onmerchantvalidation;
           attribute EventHandler onshippingaddresschange;
           attribute EventHandler onshippingoptionchange;
           attribute EventHandler onpaymentmethodchange;
@@ -1290,6 +1291,17 @@ 
           "PaymentOptions.shippingType">shippingTypea> member).
         p>
       section>
+      <section data-dfn-for="PaymentRequest" data-link-for="PaymentRequest">
+        <h2>
+          <dfn>onmerchantvalidationdfn> attribute
+        h2>
+        <p data-tests=
+        "payment-request/onmerchantvalidation-attribute.https.html">
+          A <a>PaymentRequesta>'s <a>onmerchantvalidationa> attribute is an
+          <a>EventHandlera> for a <a>MerchantValidationEventa> named
+          "<a>merchantvalidationa>".
+        p>
+      section>
       <section data-dfn-for="PaymentRequest" data-link-for="PaymentRequest">
         <h2>
           <dfn>onshippingaddresschangedfn> attribute
@@ -3722,6 +3734,21 @@ 
               Target
             th>
           tr>
+          <tr>
+            <td>
+              <code><dfn>merchantvalidationdfn>code>
+            td>
+            <td>
+              <a>MerchantValidationEventa>
+            td>
+            <td>
+              The user agent requires the merchant to perform merchant
+              validation.
+            td>
+            <td>
+              <a>PaymentRequesta>
+            td>
+          tr>
           <tr>
             <td>
               <code><dfn>shippingaddresschangedfn>code>
@@ -3782,6 +3809,166 @@ 
           tr>
         table>
       section>
+      <section data-dfn-for="MerchantValidationEvent" data-link-for=
+      "MerchantValidationEvent">
+        <h2>
+          <dfn>MerchantValidationEventdfn> interface
+        h2>
+        <pre class="idl">
+          [Constructor(DOMString type, optional MerchantValidationEventInit eventInitDict),
+          SecureContext, Exposed=Window]
+          interface MerchantValidationEvent : Event {
+            readonly attribute USVString validationURL;
+            void complete(Promise<any> merchantSessionPromise);
+          };
+        pre>
+        <section>
+          <h3>
+            <dfn data-lt=
+            "MerchantValidationEvent.MerchantValidationEvent()"><code>MerchantValidationEventcode>
+            constructordfn>
+          h3>
+          <p data-tests=
+          "MerchantValidationEvent/constructor.https.html, MerchantValidationEvent/constructor.http.html">
+            The <a data-cite="dom#concept-event-constructor-ext">event
+            constructing stepsa>, which take a <a>MerchantValidationEventa>
+            <var>eventvar>, are as follows:
+          p>
+          <ol class="algorithm">
+            <li>Let <var>basevar> be the <a data-cite=
+            "dom#context-object">eventa>’s <a data-cite=
+            "!html/multipage/webappapis.html#relevant-settings-object">relevant
+            settings objecta>’s <a data-cite=
+            "!html/multipage/webappapis.html#api-base-url">API base URLa>.
+            li>
+            <li>Let <var>inputvar> be the empty string.
+            li>
+            <li>If <var>eventInitDictvar> was passed, set <var>inputvar> to
+            the value of <var>eventInitDictvar>["<a>validationURLa>"].
+            li>
+            <li data-link-for="MerchantValidationEventInit">Let
+            <var>validationURLvar> be the result of <a data-cite=
+            "!url#concept-url-parser">URL parsinga> <var>inputvar> and
+            <var>basevar>.
+            li>
+            <li>If <var>validationURLvar> is failure, throw a
+            <a>TypeErrora>.
+            li>
+            <li>Initialize <var>eventvar>.<a>validationURLa> attribute to
+            <var>validationURLvar>.
+            li>
+            <li>Initialize <var>eventvar>.<a data-lt=
+            "mechvalidation.waitForUpdate">[[\waitForUpdate]]a> to false.
+            li>
+          ol>
+        section>
+        <section>
+          <h3>
+            <dfn>validationURLdfn> attribute
+          h3>
+          <p>
+            A <a data-cite="url#concept-url">URLa> from which a developer can
+            fetch <a>payment handlera>-specific verification data. By then
+            passing that data (or a promise that resolves with that data) to
+            <a>complete()a>, the user agent can verify that the payment
+            request is from a authorized merchant.
+          p>
+          <p>
+            When getting, returns the value it was <a data-cite=
+            "dom#inner-event-creation-steps">initializeda> with.
+          p>
+        section>
+        <section>
+          <h3>
+            <dfn>complete()dfn> method
+          h3>
+          <p data-test=
+          "payment-request/MerchantValidationEvent/complete-method-manual.https.html">
+            The <a>MerchantValidationEventa>'s
+            <code>complete(<var>merchantSessionPromisevar>)code> method
+            MUST act as follows:
+          p>
+          <ol class="algorithm">
+            <li>Let <var>eventvar> be the <a>context objecta>.
+            li>
+            <li>If <var>eventvar>'s <a>isTrusteda> attribute is false, then
+            <a>throwa> an "<a>InvalidStateErrora>" <a>DOMExceptiona>.
+            li>
+            <li>If <var>eventvar>.<a data-lt=
+            "mechvalidation.waitForUpdate">[[\waitForUpdate]]a> is true, then
+            <a>throwa> an "<a>InvalidStateErrora>" <a>DOMExceptiona>.
+            li>
+            <li>Let <var>requestvar> be <var>eventvar>'s <a data-cite=
+            "dom#event-target">targeta>.
+            li>
+            <li>If <var>requestvar>.<a>[[\state]]a> is not
+            "<a>interactivea>", then <a>throwa> an
+            "<a>InvalidStateErrora>" <a>DOMExceptiona>.
+            li>
+            <li>If <var>requestvar>.<a>[[\updating]]a> is true, then
+            <a>throwa> an "<a>InvalidStateErrora>" <a>DOMExceptiona>.
+            li>
+            <li>Set <var>eventvar>'s <a>stop propagation flaga> and <a>stop
+            immediate propagation flaga>.
+            li>
+            <li>Set <var>eventvar>.<a data-lt=
+            "mechvalidation.waitForUpdate">[[\waitForUpdate]]a> to true.
+            li>
+            <li>Run the <a>validate merchant's details algorithma> with <var>
+              merchantSessionPromisevar> and <var>requestvar>.
+            li>
+          ol>
+        section>
+        <section>
+          <h2>
+            Internal Slots
+          h2>
+          <p>
+            Instances of <a>MerchantValidationEventa> are created with the
+            internal slots in the following table:
+          p>
+          <table>
+            <tr>
+              <th>
+                Internal Slot
+              th>
+              <th>
+                Description (<em>non-normativeem>)
+              th>
+            tr>
+            <tr>
+              <td>
+                <dfn data-lt-nodefault="" data-lt=
+                "mechvalidation.waitForUpdate">[[\waitForUpdate]]dfn>
+              td>
+              <td>
+                A boolean indicating whether an <a>complete()a>-initiated
+                update is currently in progress.
+              td>
+            tr>
+          table>
+        section>
+        <section data-dfn-for="MerchantValidationEventInit" data-link-for=
+        "MerchantValidationEventInit">
+          <h3>
+            <dfn>MerchantValidationEventInitdfn> dictionary
+          h3>
+          <pre class="idl">
+            dictionary MerchantValidationEventInit : EventInit {
+              USVString validationURL = "";
+            };
+          pre>
+          <section>
+            <h4>
+              <dfn>validationURLdfn> member
+            h4>
+            <p>
+              A URL from which a developer would fetch <a>payment
+              handlera>-specific verification data.
+            p>
+          section>
+        section>
+      section>
       <section data-dfn-for="PaymentMethodChangeEvent" data-link-for=
       "PaymentMethodChangeEvent">
         <h2>
@@ -4032,6 +4219,72 @@ 
         object is set to "<a>interactivea>", the <a>user agenta> will
         trigger the following algorithms based on user interaction.
       p>
+      <section>
+        <h2>
+          Merchant validation
+        h2>
+        <p>
+          <dfn data-lt="Validate the merchant">Merchant validationdfn> is the
+          process by which a <a>payment handlera> validates the identity of a
+          merchant against some <var>valuevar> (usually some cryptographic
+          challenge response). Validated merchants are allowed to interface
+          with a <a>payment handlera>. Details of how actual validation is
+          performed is outside the scope of this specification.
+        p>
+        <p>
+          It is OPTIONAL for a <a>payment handlera> to support <a>merchant
+          validationa>.
+        p>
+        <p>
+          For <a>payment methodsa> that support <a>merchant validationa>,
+          the user agent runs the <dfn>request merchant validation
+          algorithmdfn>. The algorithm takes a <a data-cite=
+          "webidl#idl-USVString"><code>USVStringcode>a>
+          <var>merchantSpecificURLvar>, provided by the <a>payment
+          handlera>:
+        p>
+        <ol class="algorithm">
+          <li>Let <var>requestvar> be the <a>PaymentRequesta> object that
+          the user is interacting with.
+          li>
+          <li>Let <var>validationURLvar> be a <a data-cite=
+          "url#absolute-url-string">absolute URL stringa> from which a
+          developer can fetch <a>payment handlera>-specific verification
+          data.
+          li>
+          <li>
+            <a>Queue a taska> on the <a>user interaction task sourcea> to
+            run the following steps:
+            <ol>
+              <li>Assert: <var>requestvar>.<a>[[\updating]]a> is false.
+              li>
+              <li>Assert: <var>requestvar>.<a>[[\state]]a> is
+              "<a>interactivea>".
+              li>
+              <li>Let <var>eventInitDictvar> be an new
+              <a>MerchantValidationEventInita> dictionary.
+              li>
+              <li data-link-for="MerchantValidationEventInit">Set
+              <var>eventInitDictvar>["<a>validationURLa>"] to
+              <var>validationURLvar>.
+              li>
+              <li>Let <var>eventvar> be the result of <a data-cite=
+              "dom#concept-event-constructor">constructinga> a
+              <a>MerchantValidationEventa> with "<a>merchantvalidationa>"
+              and <var>eventInitDictvar>.
+              li>
+              <li>Initialize <var>eventvar>’s <a data-cite=
+              "dom#dom-event-istrusted"><code>isTrustedcode>a> attribute to
+              true.
+              li>
+              <li>
+                <a data-cite="dom#concept-event-dispatch">Dispatcha>
+                <var>eventvar> to <var>requestvar>.
+              li>
+            ol>
+          li>
+        ol>
+      section>
       <section>
         <h2>
           Shipping address changed algorithm
@@ -4821,6 +5074,64 @@ 
           p>
         div>
       section>
+      <section>
+        <h2>
+          Validate merchant's details algorithm
+        h2>
+        <p>
+          The <dfn>validate merchant's details algorithmdfn> takes a
+          <a>Promisea> <var>opaqueDataPromisevar> and a
+          <a>PaymentRequesta> <var>requestvar>. The steps are conditional
+          on the <var>opaqueDataPromisevar> settling. If
+          <var>opaqueDataPromisevar> never settles then the payment request
+          is blocked. The user agent SHOULD provide the user with a means to
+          abort a payment request. Implementations MAY choose to implement a
+          timeout for pending updates if <var>opaqueDataPromisevar> doesn't
+          settle in a reasonable amount of time. If an implementation chooses
+          to implement a timeout, they MUST execute the steps listed below in
+          the "upon rejection" path. Such a timeout is a fatal error for the
+          payment request.
+        p>
+        <ol class="algorithm">
+          <li>Set <var>requestvar>.<a>[[\updating]]a> to true.
+          li>
+          <li>
+            <a>In parallela>, disable the user interface that allows the user
+            to accept the payment request. This is to ensure that the payment
+            is not accepted until the user interface is updated with any new
+            details.
+          li>
+          <li>
+            <a>Upon rejectiona> of <var>opaqueDataPromisevar>:
+            <ol>
+              <li>
+                <a>Abort the updatea> with <var>requestvar> and an
+                "<a>AbortErrora>" <a>DOMExceptiona>.
+              li>
+            ol>
+          li>
+          <li>
+            <a>Upon fulfillmenta> of <var>opaqueDataPromisevar> with value
+            <var>opaqueDatavar>:
+            <ol>
+              <li>
+                <a>Validate the merchanta> using <var>opaqueDatavar>.
+              li>
+              <li>If <var>opaqueDatavar> is invalid, as per the validation
+              rules of the <a>payment handlera>, <a>abort the updatea> with
+              <var>requestvar> and an appropriate <a data-cite=
+              "!webidl#dfn-exception">exceptiona> and return.
+              li>
+              <li>Otherwise, set <var>requestvar>.<a>[[\updating]]a> to
+              false.
+              li>
+              <li>Enable the user interface, allowing the request for payment
+              to proceed.
+              li>
+            ol>
+          li>
+        ol>
+      section>
     section>
     <section class="informative">
       <h2>