IRC log of apps on 2017-01-12
Timestamps are in UTC.
- 16:01:45 [RRSAgent]
- RRSAgent has joined #apps
- 16:01:45 [RRSAgent]
- logging to http://www.w3.org/2017/01/12-apps-irc
- 16:01:50 [Ian]
- Meeting: Payment App Dev Sync
- 16:01:53 [Ian]
- Chair: Conor
- 16:01:56 [Ian]
- Scribe: Ian
- 16:02:04 [Ian]
- present+
- 16:02:06 [Ian]
- present+ Frank
- 16:02:07 [rouslan]
- rouslan has joined #apps
- 16:02:09 [Ian]
- present+ Mathieu
- 16:02:11 [Ian]
- present+ Rouslan
- 16:02:15 [Ian]
- present+ Pascal
- 16:02:16 [mathp]
- mathp has joined #apps
- 16:02:16 [Ian]
- present+ Roy
- 16:02:34 [mathp]
- present+
- 16:03:17 [Ian]
- present+ Conor
- 16:03:22 [Ian]
- zakim, who's here?
- 16:03:22 [Zakim]
- Present: Ian, Frank, Mathieu, Rouslan, Pascal, Roy, mathp, Conor
- 16:03:24 [Zakim]
- On IRC I see mathp, rouslan, RRSAgent, Zakim, adamR, AdrianHB, Dongwoo, Ian
- 16:03:26 [pascal_bazin]
- pascal_bazin has joined #apps
- 16:03:34 [conorhwp]
- conorhwp has joined #apps
- 16:03:42 [Ian]
- present- Mathieu
- 16:03:46 [Ian]
- zakim, who's here?
- 16:03:46 [Zakim]
- Present: Ian, Frank, Rouslan, Pascal, Roy, mathp, Conor
- 16:03:49 [Zakim]
- On IRC I see conorhwp, pascal_bazin, mathp, rouslan, RRSAgent, Zakim, adamR, AdrianHB, Dongwoo, Ian
- 16:03:56 [frank]
- frank has joined #apps
- 16:04:58 [Ian]
- present+ AdamR
- 16:05:34 [Ian]
- topic: Update from browser
- 16:05:38 [Ian]
- topic: Update from app developers
- 16:05:43 [Ian]
- topic: Highlights and blockers
- 16:05:51 [Ian]
- topic: Payment app spec changes?
- 16:06:10 [Ian]
- agenda+ Update from browser
- 16:06:17 [Ian]
- agenda+ Update from app developers
- 16:06:22 [Ian]
- agenda+ Highlights and blockers
- 16:06:32 [Ian]
- agenda+ Payment app spec changes?
- 16:06:35 [Ian]
- agenda+ Next steps
- 16:06:39 [Ian]
- zakim, take up item 1
- 16:06:39 [Zakim]
- agendum 1. "Update from browser" taken up [from Ian]
- 16:06:51 [rouslan]
- q+ to talk about payment app status
- 16:07:15 [Ian]
- adamr: We are moving forward internally but don't have updates for you yet
- 16:07:50 [Ian]
- q?
- 16:08:01 [Ian]
- ack rous
- 16:08:01 [Zakim]
- rouslan, you wanted to talk about payment app status
- 16:08:27 [Ian]
- rouslan: Payment App API status in Chrome - we are attacking both native apps and service-worker based apps
- 16:08:39 [Ian]
- ...for native, partially implemented behind AndroidPaymentApps flag
- 16:08:51 [Ian]
- ...if you use that you should be able to write an android app that talks to PR API
- 16:08:59 [Ian]
- ...next steps would be to download the manifest file
- 16:09:15 [adamR]
- q+ to ask Rouslan about the native interface
- 16:09:16 [Ian]
- ..I think there's a patch from Samsung that will pre-query apps to see if they are ready to pay
- 16:09:33 [Ian]
- ..meanwhile on Service-worker based apps, Opera and Samsung are implementing changes.
- 16:09:42 [Ian]
- ...it's currently behind a flag
- 16:10:02 [Ian]
- ..in there, service workers can register as payment apps and, I believe that the app names can be displayed (but not yet the options)
- 16:10:14 [Ian]
- ...working on how to invoke the payment apps
- 16:10:15 [Ian]
- ack adam
- 16:10:15 [Zakim]
- adamR, you wanted to ask Rouslan about the native interface
- 16:10:35 [Ian]
- adamR: Last time we looked into this it wasn't possible for another browser to hook into the native app api.
- 16:10:53 [Ian]
- Rouslan: I received feedback that my spec was not specific enough. I started to add more WebIDL type information to the spec
- 16:11:10 [Ian]
- ..I also plan to add more algorithms, which would make it easier for other browsers to implement the spec without looking at Chrome code
- 16:11:27 [Ian]
- ..the spec is still changing...we noticed some issues from developers where we should really be following more of a service-worker based approach
- 16:11:36 [Ian]
- ...so the spec is available but is changing based on that feedback
- 16:11:42 [Ian]
- [Spec URL from Rouslan]
- 16:11:50 [rouslan]
- https://groups.google.com/a/chromium.org/forum/#!msg/chromium-dev/fsslHD1Gf88/K2KpikS6BwAJ
- 16:11:55 [Ian]
- q?
- 16:12:00 [Ian]
- zakim, who's here?
- 16:12:00 [Zakim]
- Present: Ian, Frank, Rouslan, Pascal, Roy, mathp, Conor, AdamR
- 16:12:02 [Zakim]
- On IRC I see frank, conorhwp, pascal_bazin, mathp, rouslan, RRSAgent, Zakim, adamR, AdrianHB, Dongwoo, Ian
- 16:12:09 [Ian]
- present+ AdrianHB
- 16:13:14 [Ian]
- zakim, close item 1
- 16:13:14 [Zakim]
- agendum 1, Update from browser, closed
- 16:13:15 [Zakim]
- I see 4 items remaining on the agenda; the next one is
- 16:13:15 [Zakim]
- 2. Update from app developers [from Ian]
- 16:13:17 [Ian]
- zakim, take up item 2
- 16:13:17 [Zakim]
- agendum 2. "Update from app developers" taken up [from Ian]
- 16:13:23 [Ian]
- q+ conor
- 16:13:26 [Ian]
- ack conor
- 16:14:03 [Ian]
- Conor: I tested Tommy's implementation of the service-worker based payment apps into Chromium. It worked well. I was able to host my own payment app and use alongside Tommy's and use either to make a payment
- 16:14:11 [Ian]
- ...so that was cool (even though still early)
- 16:14:24 [Ian]
- ...is the work that Tommy has released the same work that Rouslan mentioned here?
- 16:14:31 [Ian]
- Rouslan: Same
- 16:14:45 [Ian]
- ...his work will end up at some point in Chromium source code
- 16:15:06 [Ian]
- Conor: It would be great to have one build of Chromium that supports both the native and service-worker bits
- 16:15:16 [Ian]
- Rouslan: It will be available in an upcoming Chrome canary release
- 16:15:47 [Ian]
- Conor: For native android apps, what if I wanted to launch a native windows or MacOS app
- 16:15:54 [Ian]
- ...do you foresee support for that at some point?
- 16:16:03 [Ian]
- ...if not, could it be triggered through a scheme host?
- 16:16:23 [adamR]
- q+
- 16:16:25 [Ian]
- ...could you launch a native app in a native app in mac and have a service worker communicate with it (e.g., via localhost)?
- 16:16:30 [rouslan]
- q+
- 16:16:38 [Ian]
- ...the native app could do the work and the service worker could do the communication
- 16:16:54 [Ian]
- ack ad
- 16:17:25 [Ian]
- adamR: Is it possible to install web extensions? They could act as service workers and call out to native apps
- 16:17:32 [Ian]
- ...that's the writeup that I threw together in london
- 16:17:35 [Ian]
- ack rous
- 16:17:45 [Ian]
- rouslan: We haven't looked explicitly into extensions as payment apps
- 16:17:58 [Ian]
- ..I think that the service worker approach is not as hacky as you think...it's flexible and powerful
- 16:18:18 [Ian]
- ...because service workers can show a page in the browser AND talk to server (which can reach out to devices or apps on devices)
- 16:18:39 [Ian]
- ...I think the solution that you have described is not only reasonable, but I think I would prefer this approach
- 16:18:51 [adamR]
- q+
- 16:18:57 [Ian]
- Conor: Ok, I'll look into this further and perhaps share a proof of concept
- 16:19:05 [Ian]
- ack ad
- 16:19:23 [Ian]
- adamR: If you have things that you want to do that you can't accomplish with the web platform, it's probably best to raise those as gaps in a W3C context
- 16:19:37 [Ian]
- Ian: +1
- 16:19:41 [Ian]
- q?
- 16:19:50 [Ian]
- {rouslan has to leave}
- 16:20:23 [Ian]
- Conor: other app developer stories?
- 16:20:33 [pascal_bazin]
- q+
- 16:21:06 [AdrianHB]
- q+ to mention app we'd like to develop for FTF to demo Interledger via PaymentRequest
- 16:21:11 [Ian]
- Conor: My other question (for Google) is about a web payment app developed by google shared on a google+ page
- 16:21:42 [rouslan]
- https://groups.google.com/a/chromium.org/forum/#!msg/chromium-dev/fsslHD1Gf88/K2KpikS6BwAJ
- 16:22:09 [rouslan]
- https://drive.google.com/drive/u/0/folders/0B9_TYWUgXNVFS093UmZXUlEwcVE ?
- 16:22:24 [rouslan]
- doc is evolving
- 16:22:59 [Ian]
- q?
- 16:23:02 [Ian]
- ack Pas
- 16:23:14 [rouslan]
- https://polykart-credential-payment.appspot.com/ ?
- 16:23:30 [Ian]
- Pascal: I am working on a third party payment app using our SDK for banks
- 16:24:06 [Ian]
- q?
- 16:24:13 [mathp]
- q+ on web payment apps
- 16:24:15 [Ian]
- ack AdrianHB
- 16:24:15 [Zakim]
- AdrianHB, you wanted to mention app we'd like to develop for FTF to demo Interledger via PaymentRequest
- 16:24:44 [Ian]
- AdrianHB: Our team at Ripple would like to connect inter ledger work with payment apps
- 16:24:54 [Ian]
- ...we are hoping to put together either a web app or android app or both
- 16:24:59 [Ian]
- ...to show at the FTF meeting
- 16:26:20 [Ian]
- IJ: I can easily see Evan and Stefan at the FTF. :)
- 16:26:21 [Ian]
- q?
- 16:26:23 [Ian]
- ack mat
- 16:26:23 [Zakim]
- mathp, you wanted to comment on web payment apps
- 16:26:31 [Ian]
- mathp: I have a question about web payment apps
- 16:27:00 [Ian]
- ...has the group considered a repo where we can share information about payment app implementations?
- 16:27:06 [conorhwp]
- q+
- 16:27:13 [pascal_bazin]
- good idea
- 16:27:15 [Ian]
- q+
- 16:27:16 [Ian]
- ack con
- 16:27:31 [Ian]
- conorhwp: I have discussed this internally. We plan to release some source code for payment apps that we're working on
- 16:27:40 [Ian]
- ...we will likely release both a web-based and native app
- 16:28:03 [Ian]
- ...client side code would be released
- 16:28:08 [Ian]
- ...would be on github
- 16:28:14 [Ian]
- ack me
- 16:28:30 [Ian]
- Experimentation part of our wiki:
- 16:28:30 [Ian]
- https://github.com/w3c/webpayments/wiki#experimentation-and-implementation
- 16:29:09 [Ian]
- Mathieu: Yes, that's what I was looking for.
- 16:29:42 [Ian]
- ACTION: Ian to write to the web payments WG and suggest that people list their projects there (when they can)
- 16:31:03 [Ian]
- q?
- 16:31:23 [Ian]
- Frank: We are still playing around with Tommy's work
- 16:31:34 [Ian]
- ...we are trying to get our proper payment app in there....no feedback yet
- 16:31:40 [Ian]
- q?
- 16:31:44 [Ian]
- zakim, close this item
- 16:31:44 [Zakim]
- agendum 2 closed
- 16:31:45 [Zakim]
- I see 3 items remaining on the agenda; the next one is
- 16:31:45 [Zakim]
- 3. Highlights and blockers [from Ian]
- 16:31:53 [Ian]
- zakim, take up item 3
- 16:31:53 [Zakim]
- agendum 3. "Highlights and blockers" taken up [from Ian]
- 16:32:17 [Ian]
- Conor: Seems like there is some good implementation experience (both native and web)
- 16:32:49 [Ian]
- https://github.com/w3c/webpayments-payment-apps-api/issues
- 16:33:57 [Ian]
- https://github.com/w3c/webpayments-payment-apps-api/issues/73
- 16:35:07 [Ian]
- IJ: Any experimentation around opening windows?
- 16:35:28 [Ian]
- Mathp: We'll look into this
- 16:36:39 [Ian]
- IJ: Any experimentation around the use of HTTP Link headers to get from payment method URL to manifest file
- 16:37:18 [Ian]
- https://github.com/w3c/webpayments-payment-apps-api/issues/14
- 16:37:45 [Roy]
- Roy has joined #apps
- 16:37:56 [Ian]
- Is anybody implementing "Launch when there is only one match"
- 16:38:27 [Ian]
- AdamR: Regarding the feature, we have some problematic privacy issues. I am ok as long as the user opts into the behavior
- 16:39:34 [Ian]
- ..note that calling payment request API does not itself require user interaction.
- 16:39:39 [Ian]
- ...can be done "on load"
- 16:39:49 [Ian]
- Mathp: I think we should leave to browsers to figure it out.
- 16:40:08 [AdrianHB]
- +1 to leave to browsers
- 16:40:25 [Ian]
- IJ: I was not suggesting a requirement, only asking if people are experimenting around this
- 16:41:37 [Ian]
- https://w3c.github.io/webpayments-payment-apps-api/#selection
- 16:41:47 [Ian]
- AdamR: We should not encourage inherently unsafe behavior
- 16:42:50 [Ian]
- IJ: I need to fix this: "If the user selects an unregistered recommended payment app, the user agent SHOULD offer the user an opportunity to register it."
- 16:42:54 [Ian]
- ..that is now how it works.
- 16:43:26 [Ian]
- q?
- 16:43:40 [Ian]
- IJ: Should we say anything in 9.2?
- 16:44:00 [Ian]
- Mathp: Where the spec could bring value is around security (e.g., origin information)
- 16:44:23 [Ian]
- ..if we encourage implementers to display origin or security status, it mitigates the issue around selecting and facilitating selection of payment apps
- 16:44:43 [Ian]
- https://w3c.github.io/webpayments-payment-apps-api/#selectable-app-information-display
- 16:46:02 [Ian]
- IJ: Is the requirement to display origin information about each payment app?
- 16:47:19 [Ian]
- Mathp: Maybe the requirement is not during *selection* but rather when the app is running
- 16:47:31 [Ian]
- https://w3c.github.io/webpayments-payment-apps-api/#payment-app-authenticity
- 16:47:54 [Ian]
- IJ: I could see advice there that payment apps should show users their origins when running
- 16:47:57 [Ian]
- Mathp: +1
- 16:48:14 [Ian]
- Action: Ian to write up a proposal for a security consideration on payment app origin
- 16:48:17 [Roy]
- q+
- 16:48:24 [Ian]
- ack roy
- 16:49:31 [Ian]
- /me missed the question
- 16:50:28 [Ian]
- Roy: For tokenized spec (and possibly other payment methods), app implementers don't have merchant information
- 16:50:35 [Ian]
- ...these are requests from "the internet at large"
- 16:50:45 [Ian]
- ..have we thought about providing origin information to the payment app
- 16:51:26 [Ian]
- https://w3c.github.io/webpayments-payment-apps-api/#dfn-app-request-data
- 16:51:34 [Ian]
- 10.1 Payment App Request Data
- 16:51:57 [Ian]
- IJ: Origin information of merchant is available to payment app
- 16:51:59 [Ian]
- q?
- 16:52:48 [Ian]
- Proposed: Close issue 14 with no change
- 16:52:52 [Ian]
- https://github.com/w3c/webpayments-payment-apps-api/issues/14
- 16:53:47 [Ian]
- AdrianHB: The security risk is that users accidentally set defaults to pay
- 16:54:39 [Ian]
- IJ: The flow I hear that is harmful is:
- 16:54:47 [Ian]
- - merchant calls PR API without user interaction
- 16:54:57 [Ian]
- - app is launched automatically since one matching app only
- 16:55:18 [Ian]
- - app automatically returns card information since configured to do so for that origin without further user interaction
- 16:55:53 [Ian]
- AdrianHB: I think we need to say something about user agents taking into account both origin and payment method when the user sets up a default payment app
- 16:57:48 [conorhwp]
- q+
- 16:57:51 [AdrianHB]
- +1 I don't think we should PREVENT anything but provide some guidance on security issues to watch for
- 16:58:17 [Ian]
- IJ: Feels to me that the whole flow from pr API to payment response data has to have SOME user interaction
- 16:58:28 [Ian]
- AdamR: But buttons can be mislabeled
- 16:58:54 [Ian]
- Mathp: I am hearing for PR API that there needs to be explicit confirmation from the user to pay (e.g., "You are about to pay with Amex. Is that ok?"
- 16:58:57 [Ian]
- ack con
- 16:59:08 [Ian]
- conorhwp: I need to go....thanks all!
- 16:59:23 [RRSAgent]
- I have made the request to generate http://www.w3.org/2017/01/12-apps-minutes.html Ian
- 16:59:25 [AdrianHB]
- Have to go too I'm afraid
- 17:00:00 [mathp]
- Ian: Explicit or Implicit confirmation -> user sees the pre-selected payment app
- 17:00:29 [Ian]
- IJ: Does someone want to raise the PR API issue?
- 17:00:43 [Ian]
- https://github.com/w3c/browser-payment-api/issues
- 17:00:59 [Ian]
- IJ: Should I register an issue?
- 17:01:17 [Ian]
- Mathp: I can have a look at the spec and raise and issue if needed
- 17:01:34 [Ian]
- ACTION: Mathieu to review PR API to see if required user confirmation is there, otherwise raise and issue
- 17:02:38 [Ian]
- IJ: Then Payment App API spec can say "If the app is configured to return response data automatically, user agent needs to take into account confirmation per PR API."
- 17:02:53 [Ian]
- AdamR: We explicitly want to enable 1-click scenarios.
- 17:03:30 [Ian]
- ...the model I have in my head is camera access
- 17:03:40 [Ian]
- ...the way it works today is "for this origin, don't ask me, just do it."
- 17:04:03 [Ian]
- ...I am proposing we can give the user a stateful config but absent that there needs to be confirmation
- 17:04:30 [Ian]
- Mathp: So I am hearing a combination of a payee origin + payment app origin is sufficient for automation
- 17:04:41 [Ian]
- AdamR: If the user says "yes, for this origin always grant access to this payment app"
- 17:05:27 [Ian]
- ...automatic payment is analogous to a merchant with card on file using it to get paid without further interaction from me.
- 17:05:37 [Roy]
- I need to roll out, see you all next thursday
- 17:06:06 [Ian]
- rrsagent, make minutes
- 17:06:06 [RRSAgent]
- I have made the request to generate http://www.w3.org/2017/01/12-apps-minutes.html Ian
- 17:06:11 [Ian]
- rrsagent, set logs public
- 17:25:54 [Ian]
- rrsagent, bye
- 17:25:54 [RRSAgent]
- I see 3 open action items saved in http://www.w3.org/2017/01/12-apps-actions.rdf :
- 17:25:54 [RRSAgent]
- ACTION: Ian to write to the web payments WG and suggest that people list their projects there (when they can) [1]
- 17:25:54 [RRSAgent]
- recorded in http://www.w3.org/2017/01/12-apps-irc#T16-29-42
- 17:25:54 [RRSAgent]
- ACTION: Ian to write up a proposal for a security consideration on payment app origin [2]
- 17:25:54 [RRSAgent]
- recorded in http://www.w3.org/2017/01/12-apps-irc#T16-48-14
- 17:25:54 [RRSAgent]
- ACTION: Mathieu to review PR API to see if required user confirmation is there, otherwise raise and issue [3]
- 17:25:54 [RRSAgent]
- recorded in http://www.w3.org/2017/01/12-apps-irc#T17-01-34
- 17:25:59 [Ian]
- zakim, bye
- 17:25:59 [Zakim]
- leaving. As of this point the attendees have been Ian, Frank, Mathieu, Rouslan, Pascal, Roy, mathp, Conor, AdamR, AdrianHB
- 17:25:59 [Zakim]
- Zakim has left #apps