Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Privacy considerations concerning shipping cost calculation #906

Closed
crowgames opened this issue Apr 1, 2020 · 2 comments
Closed

Privacy considerations concerning shipping cost calculation #906

crowgames opened this issue Apr 1, 2020 · 2 comments
Assignees
Labels

Comments

@crowgames
Copy link

In my Masters' thesis, I found a set of issues with the Web Payment APIs (see #903 for further reference). This is one of the mentioned issues.

My assumption is that a merchant is considered to be potentially untrustworthy until the payment intent is expressed through clicking on a "buy" button and the creation of the PaymentRequestEvent.

Currently, the mechanism of PaymentRequestUpdateEvents does leak such information before the payment intent was expressed (although redacted to postal codes).

As the spec mentions in the shipping address changed algorithm:

Unfortunately, even with the redactList, recipient anonymity cannot be assured. This is because in some countries postal codes are so fine-grained that they can uniquely identify a recipient.

This issue could be resolved by approaching the shipping cost calculation the other way round.
On many online platforms (e.g. ebay), a merchant specifies the shipping costs depending on the region/country/etc.).
One could allow the same behaviour in the Payment Request API.
By doing so, no sensitive shipping address information would leak to the merchant before paymentIntent.

A merchant would provide a data structure that comunicates to the user agent the cost depending on the entered address (e.g. Germany: free, EU: 5€, international: 20€).
The user agent could infer the cost automatically thorugh a lookup in said data structure, without providing information to the merchant.

I am aware that this might be a not too easy change to the spec, but I did want to contribute it to the discussion.

@marcoscaceres
Copy link
Member

Yeah, I think this would result in too many changes. Additionally, the shipping is might be fulfilled by a different company, so it might not be possible ahead of time what the shipping cost will be (unless all shipping options are known for every region).

We are working towards limiting the amount of information being shared as part of:
#873

@crowgames, would you be ok with us closing this on in favour or #873?

@crowgames
Copy link
Author

I'm finde eine with that reasoning.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

2 participants