KEMBAR78
Add privacy protection to MerchantValidationEvent's validationURL by marcoscaceres · Pull Request #850 · w3c/payment-request · GitHub
Skip to content

Add privacy protection to MerchantValidationEvent's validationURL #850

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 6 commits into from
Mar 14, 2019
Merged

Add privacy protection to MerchantValidationEvent's validationURL #850

merged 6 commits into from
Mar 14, 2019

Conversation

marcoscaceres
Copy link
Member

@marcoscaceres marcoscaceres commented Mar 12, 2019
edited by pr-preview bot
Loading

Part of PING discussions.

The following tasks have been completed:

  • Confirmed there are no ReSpec errors/warnings.
  • Not testable Modified Web platform tests.

Optional, impact on Payment Handler spec?

If handlers will have a means of handling merchant validation, that spec should include a privacy note.

Preview | Diff

rsolomakhin
rsolomakhin approved these changes Mar 12, 2019
View reviewed changes
Copy link
Collaborator

@rsolomakhin rsolomakhin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for the clarification. I will be sure to include this in the PH spec when adding the merchant validation feature and will add you the the PR for review.

ianbjacobs
ianbjacobs requested changes Mar 12, 2019
View reviewed changes
Copy link
Collaborator

@ianbjacobs ianbjacobs left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @marcoscaceres

I agree with the sentiment, but two things make me uncomfortable:

  • Imposing a normative requirement on payment handlers in this specification.
  • It would probably be ok for the URL to include some information about a person for an authorized server; we don't want that information to be visible to unauthorized parties.

Proposed:

"It is important that the validationURL in a MerchantValidationEvent
does not expose personally identifying information to unauthorized parties."

I am avoiding creating a normative requirement, but do want to stress the importance.

@ianbjacobs ianbjacobs changed the title Add privacy protenction to MerchantValidationEvent's validationURL Add privacy protection to MerchantValidationEvent's validationURL Mar 12, 2019
@marcoscaceres
Copy link
Member Author

@ianbjacobs, your suggestion sounds good. Could you please update this branch with your new text?

@ianbjacobs
Copy link
Collaborator

Hi @marcoscaceres,

I made the change and also did a tidy; I think some of the changes shown are due to tidy.

Ian

@ianbjacobs
add
349ab9b 
It is important that the <a>validationURL</a> in a
<a>MerchantValidationEvent</a> does not expose personally
identifying information to unauthorized parties.

to e13799f

without doing a tidy first
@ianbjacobs
Merge branch 'merchant_validation' of github.com:w3c/payment-request …
018d4c3 
…into merchant_validation
@ianbjacobs
merchant_validation is informative
b090589
@marcoscaceres marcoscaceres merged commit 26fbcf9 into gh-pages Mar 14, 2019
@marcoscaceres marcoscaceres deleted the merchant_validation branch March 14, 2019 02:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ianbjacobs ianbjacobs ianbjacobs requested changes

@rsolomakhin rsolomakhin rsolomakhin approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@marcoscaceres @ianbjacobs @rsolomakhin