Did you mean to sync up with this Chrome code? That code should be executing in the PaymentRequest() constructor, as far as I can see. Its sequence of checks is:

1. Credential ID list: non-empty.
2. Timeout: under 1 hour.
3. Instrument display name: non-empty.
4. Instrument icon: valid URL.
5. Either payee origin or name: non-empty.
6. RP ID: non-empty.

This spec here appears to have:

1. Credential ID list: non-empty. ✅
2. Timeout: no checks. (Spec may want to add this.) ⬅️
3. Instrument icon: no checks. (Spec should check this.) 🔥
4. Challenge: non-empty. (Chrome should start doing this.) 🔥
5. RP ID: valid domain. (Chrome should start doing this.) 🔥
6. Either payee name or origin: non-empty. ✅
7. Payee origin: valid https URL. (Chrome should start doing this.) 🔥
8. Instrument display name: non-empty. (Spec may want to move this up to position 3.) ⬅️

There are some differences here, including ordering of checks. Am I looking at the wrong chunk of Chrome code by accident?

Thank you for this excellent and detailed overview of the differences!

There are some differences here, including ordering of checks. Am I looking at the wrong chunk of Chrome code by accident?

Nope, you are just doing a great job of reviewing <3.

I've made the following changes in the latest commit:

1. Check each credentialId to be non-empty (I think Chrome should do this here too?)
2. Move displayName check up to after checking the challenge (so the order of the first few are credentialId checks, challenge check, instrument checks)
3. Added checking that icon is non-empty and valid.

Credential ID list: non-empty.

I think Chrome should also check that the individual IDs here are non-empty; WDYT?

Timeout: under 1 hour.

I think we should actually drop this check from Chrome currently, as the WebAuthn layer should handle it (https://w3c.github.io/webauthn/#:~:text=.publicKey.-,If%20the%20timeout%20member%20of%20options%20is%20present,-%2C%20check%20if%20its), and currently the timeout is only used for that layer. In the future if we make the timeout apply to the SPC dialog itself, we should do better.

WDYT?

Payee origin: valid https URL. (Chrome should start doing this.) 🔥

I think we do it here (part of the Chrome code you linked), so Chrome should be good here?

RP ID: valid domain. (Chrome should start doing this.) 🔥

Btw Chrome does partially do this here, but only checks for non-empty. It's also in the wrong check-order versus the spec, should be before payeeName/payeeOrigin.

Comparing to the Chrome code that determines whether canMakePayment() will return true:

1. Credential IDs list: non-empty. (Fails only on compromised renderer.) ✅
2. Each credential ID: non-empty. (The PaymentRequest() constructor should be checking this, too.) 🔥
3. Timeout: under 1 hour. (Fails only on compromised renderer.) ✅
4. Challenge: non-empty. (The PaymentRequest() constructor should be checking this, too.) 🔥
5. Instrument display name: non-empty. (Fails only on compromised renderer.) ✅
6. Instrument icon: valid URL. (Fails only on compromised renderer.) ✅
7. Download the icon.
8. Check for instrument IDs on device.

This spec here has:

1. Payee origin: valid https URL. (Chrome should check that either payeer origin is a valid https URL or payee name is non empty in here.) 🔥
2. Download the icon. ✅
3. Check for instrument IDs on device. ✅

Ack; I think there are no spec-changes needed from this comment? (As (2) and (4) are covered in the other comment, and since the spec shouldn't worry about compromised renderers ;)).

I will open a Chrome bug later to address all the mismatches we have identified too.