13:56:51 RRSAgent has joined #wpwg 13:56:51 logging to http://www.w3.org/2017/08/10-wpwg-irc 13:56:57 Meeting: Web Payments Working Group 13:57:01 Chair: Adrian Hope-Bailie 13:57:16 Agenda: https://github.com/w3c/webpayments/wiki/Agenda-20170810 13:57:18 Scribe: Ian 14:02:21 alyver has joined #wpwg 14:02:57 AdrianHB has joined #wpwg 14:03:27 present+ AdrianhB 14:03:31 zkoch has joined #wpwg 14:04:45 present+ 14:04:48 present+ 14:04:56 present+ 14:05:06 Ian has changed the topic to: 10 Aug agenda https://github.com/w3c/webpayments/wiki/Agenda-20170810 14:05:07 Max has joined #WPWG 14:05:30 present+ Molly 14:05:31 zakim, who's here? 14:05:31 Present: AdrianhB, zkoch, Ian, alyver, Molly 14:05:33 On IRC I see Max, AdrianHB, alyver, RRSAgent, Zakim, cweiss, dlehn, jungkees, adamR, pea13, canton_, dlongley, manu, hober, nicktr, emschwartz, adrianba, Ian, trackbot, Dongwoo, 14:05:33 ... mkwst, oyiptong, JakeA, ShaneM, natasha, slightlyoff 14:05:53 regrets+ NickTR 14:06:33 topic: 14:06:33 Status of publication of CRs 14:06:38 Topic: Status of publication of CRs 14:06:44 present+ Max 14:06:46 zkoch has joined #wpwg 14:06:59 IJ: Editor update? 14:07:14 zkoch: We met yesterday and discussed all the open issues that we think are blocking for CR (3-4) 14:07:22 ..we saw resolution on the issue of payment handler data 14:07:36 https://github.com/w3c/payment-request/issues?utf8=%E2%9C%93&q=is%3Aopen%20is%3Aissue%20-label%3A%22Priority%3A%20Postponed%22%20-label%3A%22Editorial%22%20-label%3A%22Process%20aid%22%20 14:07:41 zkoch: I think there is one PR pending 14:07:46 ..and one more to submit, then we should be good 14:07:54 ..so by end of next week we should be ready to do the transition request 14:08:23 Draft transition request => https://www.w3.org/2017/07/13-prapi-cr-trans-req.txt 14:09:21 Topic: Basic Card status 14:10:16 zkoch: Marcos re-raised. 14:10:20 ian: We have resolved 2 times 14:10:31 ..let us take to email 14:11:16 IJ: Anything else about CR transition? 14:11:32 (Silence) 14:11:38 Topic: 14:11:38 Topic: Status of Payment Method Manifest FPWD 14:12:02 ian: Did a review of manifest spec in prep for FPWD 14:12:10 https://github.com/w3c/payment-method-manifest/issues/11 14:12:14 ... main thing I noticed related to security 14:12:53 ... should spec say more about handling absence of manifest 14:14:25 ... want to focus on which spec needs to say what in order to acheive desired security properties 14:14:55 ... specifically where do we define default behaviour for no-manifest 14:15:39 ... rouslan has added considerations for this in handler spec but this is maybe not the right place for it (should be browser level) 14:15:53 ... want to cover this before FPWD 14:16:01 ... resolve or put issue markers 14:16:10 q? 14:16:21 zkoch: I agree that the question of default for origin is one we need to answer. 14:16:41 ...a simpler question is: is a manifest required for any URL PMI? 14:16:47 ...I don't think it's just a security question 14:17:18 ...should the ability to "stand by itself" be available as easily to parties who publish URL PMIs. 14:20:04 ian: my take is, what are the things I want to say and how do I say them. The manifest is one way to say them 14:20:18 ... you could say things in the PMI for example 14:21:11 ... it could be that one answers the question of origin control in two ways but we may want to only use one which then makes manifest mandatory 14:21:29 ... I acknowledge it could be about other things (not just security) 14:21:38 q? 14:22:47 q+ 14:22:52 q+ to ask about how to handle failure to fetch 14:24:09 zkoch: I acknowledge that there may be use cases where manifests are not required (open payment methods) but I want to focus on current reality which is a number of origin-owners that want to use the manifest 14:24:19 ... I am inclined to say manifest should be required 14:24:28 1) Same origin policy for the web applies to payment systems 14:25:05 (IJ: let's use PR api to say that) 14:25:11 I worry that we are conflating the use of the URL as an identifier with it's use as an origin 14:25:33 2) There are multiple ways to declare other origins 14:25:36 a) PMM 14:25:42 b) W3C publishes a payment method spec 14:26:09 q? 14:26:12 ack ian 14:26:24 3) In the world of PMM's, we need to talk about error handling to fall back to same origin policly 14:26:42 4) If you want to make PMM's mandatory, do you say something in PMI? 14:27:08 ..but would want to allow multiple formats 14:27:11 ack Adr 14:27:11 AdrianHB, you wanted to ask about how to handle failure to fetch 14:27:16 ack me 14:27:56 adrianhb: Assuming we did want to make PMM's mandatory, then I think the statement about what to do without manifests should be in the PMM spec, and there should be a default behavior in that spec. 14:28:14 (e.g., what the default PMM is in the absence of one or failure to load) 14:28:22 ..what worries me as a payment method publisher 14:28:37 q+ to ask about other PMM formats and why "absence" should be handled outside of it 14:28:49 ...knock on implications of failure seem heavy 14:29:20 zkoch: The idea of a default manifest or some fallback in case of failure seems worth exploring 14:29:43 ...to the question of the upkeep of the manifest: deciding to engage in this ecosystem is a business decision 14:30:06 ...just like offering code to put into a site 14:30:14 ...these all come with burden of maintenance 14:30:25 ...there is burden in all code; this is no different 14:30:48 AdrianHB: The challenge for me is the complexity of monitoring this 14:31:00 ...I don't know if my page is being returned to browsers 14:31:08 ...it's quite a burdensome thing to monitor from that perspective. 14:31:27 ...I appreciate the point that this is a burden like others 14:32:49 I find that a very confusing statement :) 14:33:48 ian: the idea of a spec saying what to do when that spec is not implemented seems confusing 14:34:03 ... it's also possible there may be other formats 14:34:32 ... the "matching" process can be pulled out of the manifest spec 14:34:38 q+ 14:34:41 ack ian 14:34:41 Ian, you wanted to ask about other PMM formats and why "absence" should be handled outside of it 14:35:17 ... there is a global statement about SOP that should be in PR spec 14:36:10 ... does it make sense for webappmanifest to also have payment related information 14:36:37 IJ: I was wondering if we could squat on PMI namespace to say something like www.bank.com/no-manifest 14:36:41 And that means "Open" 14:36:52 And user agents know not to go fetch the manifest 14:38:28 AHB: What are arguments against same origin statement in PR API? 14:38:34 IJ: "Don't touch the spec" 14:38:59 AHB: What is implemented? 14:40:09 https://w3c.github.io/payment-request/#security-considerations 14:41:39 Let's look at 12.5 in https://w3c.github.io/payment-request/#show()-method 14:42:34 IJ: We could say something in the security considerations. 14:44:44 ... the start of this was the motivation be able to delegate auth to serve their payment method from other apps 14:45:23 ... at a high level we need to say somewhere "don't serve apps from other origins unless you have information that says you can" 14:46:18 ... we should have some guidance (possibly non-normative) to say that 14:50:41 q+ to say I don't think it should be in PMI 14:51:12 Topic: next meeting 14:51:16 24 Aug proposed 14:51:20 ack AdrianHB 14:51:20 AdrianHB, you wanted to say I don't think it should be in PMI 14:51:40 AdrianHB: On the question of security - not PMI, which has shrunk to simple definitions 14:53:41 AdrianHB: At risk for 24 Aug 14:53:47 RRSAGENT, make minutes 14:53:47 I have made the request to generate http://www.w3.org/2017/08/10-wpwg-minutes.html Ian 14:53:51 alyver has left #wpwg 14:53:52 RRSAGENT, set logs public 15:17:55 AdrianHB has joined #wpwg 16:48:35 AdrianHB has joined #wpwg 17:02:50 Zakim has left #wpwg 17:20:46 AdrianHB has joined #wpwg 17:51:27 betehess has joined #wpwg 18:34:01 betehess has joined #wpwg 19:45:18 dlehn has joined #wpwg 21:03:58 betehess has joined #wpwg 22:48:50 betehess has joined #wpwg 23:53:09 dlehn has joined #wpwg