feat: rewrite all the things

[marcoscaceres]

• Removed wording about overloading identifiers (closes #33)
• Defined "standardized payment method identifier" (closes #32)
• Cited URL standard (closes #30)
• Dropped dependency on [SECURE-CONTEXTS] (closes #29)
• defined "Standardized Payment Method Identifiers" (closes #23)
• Removed circular dependency (closes #22)
• Added proper URL parsing and specific validation with error (closes #8 #27 #28)
• Added Security considerations sections (closes #7)
• Added Marcos as editor + cleans up respecConfig
• Removes "Conditional Matching Beyond Payment Methods" (closes #34)

---

Preview | Diff

[annevk]

Note that "I was hoping you'd abstract validate a bit somehow instead. Parse -> serialize -> parse seems really hacky." got lost due to a commit. One of the downsides of not addressing all comments in a single commit.

[ianbjacobs]

@domenic wrote:

Do you really want to allow about:blank, about:srcdoc, wss: URLs, file: URLs, etc.? (All are potentially trustworthy.)

I think the answer is "no." However, I wonder if there are some use cases for them (e.g., local testing of a payment method?) We've not really discussed those, and I think the intended use cases are for published payment method manifest files.

Do you want to allow usernames or passwords in the URL?

Again, I think the answer is "no" but there might be use cases we've not considered.

What is wrong with queries?

I don't recall the rationale exactly, but I think it had to do with simplicity.

These are good questions.

Ian

[marcoscaceres]

This is ready for final review.