| CARVIEW |
Select Language
HTTP/2 200
date: Sat, 11 Oct 2025 20:41:26 GMT
content-type: text/html; charset=utf-8
cache-control: max-age=0, private, must-revalidate
content-security-policy: default-src 'none'; base-uri 'self'; child-src github.githubassets.com github.com/assets-cdn/worker/ github.com/assets/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com www.githubstatus.com collector.github.com raw.githubusercontent.com api.github.com github-cloud.s3.amazonaws.com github-production-repository-file-5c1aeb.s3.amazonaws.com github-production-upload-manifest-file-7fdce7.s3.amazonaws.com github-production-user-asset-6210df.s3.amazonaws.com *.rel.tunnels.api.visualstudio.com wss://*.rel.tunnels.api.visualstudio.com github.githubassets.com objects-origin.githubusercontent.com copilot-proxy.githubusercontent.com proxy.individual.githubcopilot.com proxy.business.githubcopilot.com proxy.enterprise.githubcopilot.com *.actions.githubusercontent.com wss://*.actions.githubusercontent.com productionresultssa0.blob.core.windows.net/ productionresultssa1.blob.core.windows.net/ productionresultssa2.blob.core.windows.net/ productionresultssa3.blob.core.windows.net/ productionresultssa4.blob.core.windows.net/ productionresultssa5.blob.core.windows.net/ productionresultssa6.blob.core.windows.net/ productionresultssa7.blob.core.windows.net/ productionresultssa8.blob.core.windows.net/ productionresultssa9.blob.core.windows.net/ productionresultssa10.blob.core.windows.net/ productionresultssa11.blob.core.windows.net/ productionresultssa12.blob.core.windows.net/ productionresultssa13.blob.core.windows.net/ productionresultssa14.blob.core.windows.net/ productionresultssa15.blob.core.windows.net/ productionresultssa16.blob.core.windows.net/ productionresultssa17.blob.core.windows.net/ productionresultssa18.blob.core.windows.net/ productionresultssa19.blob.core.windows.net/ github-production-repository-image-32fea6.s3.amazonaws.com github-production-release-asset-2e65be.s3.amazonaws.com insights.github.com wss://alive.github.com wss://alive-staging.github.com api.githubcopilot.com api.individual.githubcopilot.com api.business.githubcopilot.com api.enterprise.githubcopilot.com; font-src github.githubassets.com; form-action 'self' github.com gist.github.com copilot-workspace.githubnext.com objects-origin.githubusercontent.com; frame-ancestors 'none'; frame-src viewscreen.githubusercontent.com notebooks.githubusercontent.com; img-src 'self' data: blob: github.githubassets.com media.githubusercontent.com camo.githubusercontent.com identicons.github.com avatars.githubusercontent.com private-avatars.githubusercontent.com github-cloud.s3.amazonaws.com objects.githubusercontent.com release-assets.githubusercontent.com secured-user-images.githubusercontent.com/ user-images.githubusercontent.com/ private-user-images.githubusercontent.com opengraph.githubassets.com marketplace-screenshots.githubusercontent.com/ copilotprodattachments.blob.core.windows.net/github-production-copilot-attachments/ github-production-user-asset-6210df.s3.amazonaws.com customer-stories-feed.github.com spotlights-feed.github.com objects-origin.githubusercontent.com *.githubusercontent.com; manifest-src 'self'; media-src github.com user-images.githubusercontent.com/ secured-user-images.githubusercontent.com/ private-user-images.githubusercontent.com github-production-user-asset-6210df.s3.amazonaws.com gist.github.com; script-src github.githubassets.com; style-src 'unsafe-inline' github.githubassets.com; upgrade-insecure-requests; worker-src github.githubassets.com github.com/assets-cdn/worker/ github.com/assets/ gist.github.com/assets-cdn/worker/
link: ; rel=preload; as=fetch; crossorigin=use-credentials
referrer-policy: no-referrer-when-downgrade
server-timing: issue_layout-fragment;desc="issue_layout fragment";dur=371.19685,issue_conversation_content-fragment;desc="issue_conversation_content fragment";dur=666.838193,nginx;desc="NGINX";dur=1.11278,glb;desc="GLB";dur=139.536844
strict-transport-security: max-age=31536000; includeSubdomains; preload
vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, X-Requested-With, Accept,Accept-Encoding, Accept, X-Requested-With
x-content-type-options: nosniff
x-frame-options: deny
x-voltron-version: aab62e3
x-xss-protection: 0
server: github.com
content-encoding: gzip
accept-ranges: bytes
set-cookie: _gh_sess=v1iPPPEF5sOTrpXffZ3ce7DV7Qlqd6ebSDi6qRWVQIHoLqHwHJK%2FC%2BhA3qheZJ6HWdTsbzSzur1cCoRoGIanJOP3EED5ESVHWF7Y9wX3EROc5rWBkD1RoG51NUpH1kuEMzGeTHMLMli4a%2BhlPXJk%2FdJKehVPJoQCs2fJu%2Be4ClRPicCJ%2FgDVzTx2ekX8F%2BU0rucdZXYWeDfkV4ywlgSNKvB0D2zbTeHQyS6Q2Ptq1zecynLnDu6mBCmjZzImoVN%2BWaTsZ8kgW6p2MYhEdB0Z3Q%3D%3D--1sjXqOix6nhsMRvQ--71CWKdihT6arUKCDBa6kDA%3D%3D; Path=/; HttpOnly; Secure; SameSite=Lax
set-cookie: _octo=GH1.1.732443809.1760215285; Path=/; Domain=github.com; Expires=Sun, 11 Oct 2026 20:41:25 GMT; Secure; SameSite=Lax
set-cookie: logged_in=no; Path=/; Domain=github.com; Expires=Sun, 11 Oct 2026 20:41:25 GMT; HttpOnly; Secure; SameSite=Lax
x-github-request-id: 9E24:12A139:A2A51C:D529A8:68EAC0F5
Just-in-time payment handler install Β· Issue #240 Β· w3c/payment-handler Β· GitHub
No one assignedNo labelsNo typeNo projectsNo milestoneNone yetNo branches or pull requests
Skip to content
Navigation Menu
{{ message }}
-
Notifications
You must be signed in to change notification settings - Fork 41
Closed
Description
To help bootstrapping new payment handlers into the ecosystem, we at Chrome would like to experiment with installation of the payment handler at the time of payment. The use case would work as follows for a user that does not have 'https://bobpay.xyz/pay' payment handler installed, for example.
- The merchant calls
new PaymentRequest([{supportedMethods: 'https://bobpay.xyz/pay'}], shoppingCart).show(); - The browser checks the HTTP headers from
https://bobpay.xyz/payto verify that it supports just-in-time installation of a payment handler. This would be indicated by a header that we need to name something. If the header is absent, the merchant would receiveNotSupportedError. - Otherwise, if the header is present, the browser shows the payment sheet with a prompt
Install a payment app from https://bobpay.xyz/pay? [ ALLOW ] [ DENY ]. - If the user taps
[ DENY ], the merchant would receiveNotSupportedError. - Otherwise, if the user taps
[ ALLOW ], the browser would open a popup window with a URL that instructs the payment app via a hash parameter (#) to install itself and prepare for payment. For example,https://bobpay.xyz/pay#install-payment-handler-and-prepare-for-payment-from-origin=merchant-shop.com. The payment handler should show an "Initializing..." screen on this page. The payment handler communicates its own readiness to process payments via the hash parameter as well. - If the payment handler navigates to
https://bobpay.xyz/pay#fail, then the installation failed. The browser should give the user the opportunity to install a different payment app, if possible. - Otherwise, if the payment handler navigates to
https://bobpay.xyz/pay#success, then the installation succeeded. At this point, the browser fires the'paymentrequest'event in the newly installed service worker with scopehttps://bobpay.xyz/payand payment proceeds as defined in the rest of the spec. The service worker should communicate with the existing popup window via the service worker clients API to smoothly transition into showing the normal payment flow.
Is this something that's interesting to other implementers as well? If so, we are wondering what, if anything, should be added to this specification. I suspect that the following items would need be defined somewhere.
- An HTTP header for
https://bobpay.xyz/payto indicate that it supports just-in-time install. #install-payment-handler-and-prepare-for-payment-from-origin=#fail#success
jsnellpluscpandj5
Metadata
Metadata
Assignees
Labels
No labels
Type
Projects
Milestone
Relationships
Development
Issue actions
You canβt perform that action at this time.