Closed adrianhopebailie closed 7 years ago
+1 to rephrase "must start with https://" to say "must be hosted in a secure fashion." This opens the door to the future secure protocols.
I would get input from the WebSecWG before we change text here. In general, I agree with the intent - but if some weird "secure"(tm) protocol gets used by one UA, it risks screwing over all other UAs and remaining spec-conforming.
(fixed above)
Closed with adoption of PR 21 at 23 Feb Meeting http://www.w3.org/2017/02/23-wpwg-minutes.html
From: https://github.com/w3c/webpayments-method-identifiers/pull/16#discussion_r88373861
There is a concern that having browsers all over the world fetching a manifest all the time will put significant strain on the hosts of the manifest.
There are protocols that are better at serving static content than HTTP such as IPFS. While they're not supported in most browsers yet, they may be soon.
So, should we be limiting the PMI URLs to
https
as the scheme or rather wording this as something that requires fetching the manifest through a SecureContext or similar?