search

w3c / secure-payment-confirmation

Secure Payment Confirmation (SPC)
https://w3c.github.io/secure-payment-confirmation/
Other
110 stars 39 forks source link

What is a fully qualified origin? #149

Closed annevk closed 2 years ago

annevk commented 2 years ago

I came across

If request.payeeOrigin is not a fully qualified origin, return false.

and it's not at all clear to me how this works. Are you parsing the input? How?

annevk commented 2 years ago

Aside: the syntax you want to use to access a dictionary member is the same as Infra map syntax, so

request["payeeOrigin"]

stephenmcgruer commented 2 years ago

Link to the part of the SPC spec that @annevk is referring to: https://w3c.github.io/secure-payment-confirmation/#sctn-steps-to-check-if-a-payment-can-be-made (step 2).

This was an attempt to satisfy the description of payeeOrigin: https://w3c.github.io/secure-payment-confirmation/#dom-securepaymentconfirmationrequest-payeeorigin

payeeOrigin member, of type USVString
    The fully qualified origin of the payee that this SPC call is for (e.g., the merchant).

The description here was stolen from WebAuthn: https://w3c.github.io/webauthn/#dom-collectedclientdata-origin

origin, of type DOMString
    This member contains the fully qualified origin of the requester, as provided to the authenticator by the client, in the syntax defined by [RFC6454].

The difference here is that for WebAuthn, origin is an output. Their input is a different origin (same name, different variable):

https://w3c.github.io/webauthn/#dom-publickeycredential-discoverfromexternalsource-origin-options-sameoriginwithancestors-origin

This argument is the relevant settings object's origin, [...]

To which they then apply a serialization (step 9 of https://w3c.github.io/webauthn/#sctn-discover-from-external-source, linking to https://html.spec.whatwg.org/multipage/origin.html#ascii-serialisation-of-an-origin).

So that's all the background, which... doesn't actually matter. What we're trying to do is allow the caller to pass in a claimed origin as the payee of the call. I'm not even sure it has to literally be an origin (perhaps the caller should be able to provide any description of the payee for SPC to show the user, and to be signed over), but for now origin seemed a reasonable 'description' of a payee on the web.

I imagine what we need to do here is find the proper wording for 'the caller gave us something that looks like http(s)://example.org'. :)

annevk commented 2 years ago

You probably want to borrow language from HTML's postMessage(). Making it a shared primitive might be even nicer, though perhaps that warrants more callers.