KEMBAR78
Add PaymentRequest.prototype.hasEnrolledInstrument() by danyao · Pull Request #833 · w3c/payment-request · GitHub
Skip to content

Conversation

@danyao
Copy link
Collaborator

@danyao danyao commented Feb 8, 2019

closes #830

The following tasks have been completed:

Implementation commitment:

Optional, impact on Payment Handler spec?
After this change, CanMakePaymentEvent will not be triggered on any payment handler when canMakePayment() runs. It will be triggered when hasEnrolledInstrument() runs.


Preview | Diff

@marcoscaceres
Copy link
Member

Thanks @danyao! I’ll try to review this ASAP!

@danyao
Copy link
Collaborator Author

danyao commented Feb 8, 2019

Thanks! I forgot to update the PaymentRequest interface with the new method in the first commit. This is fixed now.

ianbjacobs and others added 3 commits February 8, 2019 14:29
Co-Authored-By: danyao <danyao@chromium.org>
Co-Authored-By: danyao <danyao@chromium.org>
Co-Authored-By: danyao <danyao@chromium.org>
Copy link
Member

@marcoscaceres marcoscaceres left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @danyao, this is a great start - and the algorithm parts are looking pretty solid...

However, I'd like to do this in two parts because there is some duplication in the two algorithms that I'd like to avoid (mostly an editorial/maintenance issue). Also note that the hasEnrolledInstrument() doesn't seem to integrate with the state machine like the other methods.

For example, right now:

pr = new PaymentRequest("")
await pr.abort();
await pr.canMakePayment(); //throws
await pr.hasEnrolledInstrument(); // doesn't throw.

I think we should have a single algorithm in the Algorithms sections. The algorithm should be called:

"can make payment algorithm" and have it take an argument Boolean <var>checkForInstruments</var> that if passed as "true", it does the instrument check.

Then, instead of:

The <a>canMakePayment()</a> method MUST act as follows:

It would be:

The <a>canMakePayment()</a> method MUST run the <a>can make payment algorithm</a> with the <var>checkForInstruments</a> set to false.

Then, instead of:

The <a>hasEnrolledInstrument()</a> method MUST act as follows:

It would be:

The <a>hasEnrolledInstrument()</a> method MUST run the <a>can make payment algorithm</a> with the <var>checkForInstruments</a> set to true.

@marcoscaceres
Copy link
Member

marcoscaceres commented Feb 11, 2019

Now I'm wondering if we should just add a optional dictionary to canMakePayment():

pr.canMakePayment({ withEnrolledInstruments: true });

@webpayments-specs
Copy link

webpayments-specs commented Feb 11, 2019 via email

@marcoscaceres
Copy link
Member

Firefox would likely never return this information truthfully for built in methods regardless (i.e., we will always return true), so I don’t see what difference it makes from a feature detection POV?

@marcoscaceres
Copy link
Member

(Note the hasEnrolledInstruments() would introduce another fingerprinting vector - so we might want to document that in the Privacy and Security section, and we should make it ok for UAs to lie for privacy reasons).

@rsolomakhin
Copy link
Collaborator

Chrome would return the hasEnrolledInstrument() truthfully for the built-in basic-card payment method. The feature detection matters for Chrome, because the old implementation of canMakePayment() was checking for instruments, whereas the new implementation would not be doing that. The only way for a website to determine which is which is to check for hasEnrolledInstrument() in the case of Chrome. Sorry about our legacy shipped code! :-(

Note the hasEnrolledInstruments() would introduce another fingerprinting vector - so we might want to document that in the Privacy and Security section.

Privacy and Security section changes sound reasonable.

We should make it ok for UAs to lie for privacy reasons.

Did you have in mind returning NotAllowedError similar to canMakePayment()? That sounds OK.

@marcoscaceres
Copy link
Member

Ok, let’s go with the new name 👍 about the exceptions, see my suggestion about using the same abstract algorithm for both this an canMakePayment(). Then they are both protected by the same abuse checking.

marcoscaceres and others added 6 commits February 11, 2019 09:50
Co-Authored-By: danyao <danyao@chromium.org>
Co-Authored-By: danyao <danyao@chromium.org>
Co-Authored-By: danyao <danyao@chromium.org>
…this method no longer exposes new user agent configuraton
@danyao
Copy link
Collaborator Author

danyao commented Feb 11, 2019

Hi @marcoscaceres, thanks for the feedback!

However, I'd like to do this in two parts because there is some duplication in the two algorithms that I'd like to avoid (mostly an editorial/maintenance issue).

Consolidating redundant algorithm makes sense. I went the other way initially because I felt it may be confusing to embed an "if" and the rate-limit note inside the loop. I gave it another try. PTAL.

Also note that the hasEnrolledInstrument() doesn't seem to integrate with the state machine like the other methods.

For example, right now:

pr = new PaymentRequest("")
await pr.abort();
await pr.canMakePayment(); //throws
await pr.hasEnrolledInstrument(); // doesn't throw.

This would be a bug. How did you test it? I added a manual WPT test case for this scenario and it was passing on my debug build, but I could have overlooked something: https://github.com/web-platform-tests/wpt/blob/master/payment-request/payment-request-hasenrolledinstrument-method-manual.https.html#L81

(Note the hasEnrolledInstruments() would introduce another fingerprinting vector - so we might want to document that in the Privacy and Security section, and we should make it ok for UAs to lie for privacy reasons).

Updated the Privacy Considerations section. PTAL.

Do you think it's important to keep the abuse protection for canMakePayment()? I feel it's no longer necessary because with the introduction of JIT and removal of handler-specific can make payment check, the new canMakePayment() is mostly an UA version detector. hasEnrolledInstrument() on the other hand still exposes user information, so should be kept under abuse protection.

@danyao
Copy link
Collaborator Author

danyao commented Feb 15, 2019

Friendly ping @marcoscaceres. I've responded to your feedback. PTAL.

Copy link
Member

@marcoscaceres marcoscaceres left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Thanks for doing this @danyao.

Before we merge, we need:

  1. Approval and implementation commitment from @aestes.
  2. Firefox bug (I'll file one).

We also need to decide if we are going to fork 1.1 at this point. I'm waiting on final review feedback from various Editors of 1.0.

@marcoscaceres marcoscaceres changed the title Add hasEnrolledInstrument() Add PaymentRequest.prototype.hasEnrolledInstrument() Feb 18, 2019
@marcoscaceres marcoscaceres requested a review from aestes February 18, 2019 04:10
@marcoscaceres
Copy link
Member

@danyao
Copy link
Collaborator Author

danyao commented Feb 22, 2019

Friendly ping, @aestes.

Co-Authored-By: danyao <danyao@chromium.org>
@danyao
Copy link
Collaborator Author

danyao commented Mar 4, 2019

Hi @marcoscaceres,

Now that this PR is approved, what would be the best next step? Should we create a 1.1 branch to commit this?

@ianbjacobs
Copy link
Collaborator

@plehegar do you have guidance here for introducing a new branch?

Ian

@marcoscaceres
Copy link
Member

@danyao @plehegar @ianbjacobs, my preference is for us not to spin up new branches as we are almost ready to republish in the next 2 weeks.

@danyao, just hang tight, we are almost done with 1.0. Once the new CR is out, we don't expect any significant feedback - so it will be easier to deal with back porting, or uplifting, changes as needed (and all this stuff will go into the gh-pages branch).

@marcoscaceres marcoscaceres dismissed ianbjacobs’s stale review March 22, 2019 01:57

Comments addressed

@marcoscaceres
Copy link
Member

If we can get commitment from one more implementer we can land this.

@ianbjacobs
Copy link
Collaborator

@danyao, @rsolomakhin, @zouhir, @aestes see above request from @marcoscaceres. :)

@rsolomakhin
Copy link
Collaborator

@ianbjacobs : This is shipped in Chrome and there's a bug in WebKit. Is that sufficient?

@marcoscaceres
Copy link
Member

@rsolomakhin, excellent! thanks for doing the archeology! Yep, that's good enough.

@ianbjacobs
Copy link
Collaborator

That sounds like 2 implementation commitments. @marcoscaceres, seem ok?

@marcoscaceres
Copy link
Member

@danyao could you please check the merge conflict? I can modernize the markup a bit after we merge.

@danyao
Copy link
Collaborator Author

danyao commented Apr 30, 2019 via email

@danyao
Copy link
Collaborator Author

danyao commented May 2, 2019

Hi @marcoscaceres - I fixed the merge conflicts. PTAL!

@marcoscaceres marcoscaceres merged commit 6f2565b into w3c:gh-pages May 3, 2019
@marcoscaceres
Copy link
Member

Thanks @danyao! looks great.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Spec hasEnrolledInstrument

6 participants