Web Monetization

Draft Community Group Report

Latest published version:
https://www.w3.org/TR/web-monetization/
Latest editor's draft:
https://webmonetization.org/specification.html
Editors:
Adrian Hope-Bailie (Coil Technologies Inc.)
Ben Sharafian (Coil Technologies Inc.)
Nick Dudfield (Coil Technologies Inc.)

Abstract

Web Monetization allows websites to automatically receive payments from users, facilitated by the user agent and a user's preferred monetization provider.

Status of This Document

This specification was published by the Web Platform Incubator Community Group. It is not a W3C Standard nor is it on the W3C Standards Track. Please note that under the W3C Community Contributor License Agreement (CLA) there is a limited opt-out and other conditions apply. Learn more about W3C Community and Business Groups.

Warning

This specification is a work in progress within the community on the best shape it should take. Please see the explainer for more info.

The specification reflects the desired end-state of the Web Monetization APIs as currently anticipated and agreed to between the contributors. The specification is being prepared here, in this format, to collect the input of the Web community and prepare the work to ultimately follow the W3C standards track should it have the necessary support to do so.

For the most accurate reflection of the APIs that have been implemented by providers see the API documentation.

GitHub Issues are preferred for discussion of this specification.

1. Usage examples

This section is non-normative.

1.1 Monetizing a web page

1.2 Monetizing media

The following example shows how to monetize various type of media using different payment end-point.

2. Model

Monetization:
A payment made by a user to a website, facilitated through a monetization provider.
Monetization provider:
The party making payments on behalf of the user. A monetization provider leverages the Simple Payments Setup Protocol (SPSP) together with Interledger Protocol (ILP)/STREAM to provide a high-level way to pay a monetization receiver.
Monetization receiver:
The party receiving payments on behalf of the website, whose details are provided by a payment end-point.
Payment end-point:
A URL to a SPSP end-point (i.e., a JSON resource containing details that facilitate payment).

3. Goals

This section is non-normative.

5. onmonetization event handler

The onmonetization event handler is an event handler content attribute that can be applied to any element. The user agent uses it to notify that some link has been monetized.

6. monetization event

When the STREAM connection has fulfilled an ILP packet with a non-zero amount, perform the following steps:

  1. Let target be the HTMLLinkElement associated with the STREAM connection.
  2. If target is null, then return.
  3. Let eventInitDict be a MonetizationEventInit dictionary, whose members are initialized to match packet's details.
  4. Let event be a newly constructed MonetizationEvent initialized with eventInitDict.
  5. Queue a task on the monetization task source to perform the following steps:
    1. If target is not connected, return.
    2. Fire an event named "monetization" at target, with bubbles initialized to true.

7. Task sources

The following task source is defined by this specifications.

The monetization task source
Used by this specification to queue up non-blocking MonetizationEvents.

8. MonetizationEvent interface

WebIDL[SecureContext, Exposed=Window]
interface MonetizationEvent : Event {
  constructor(DOMString type, MonetizationEventInit eventInitDict);
  readonly attribute DOMString amount;
  readonly attribute DOMString assetCode;
  readonly attribute DOMString assetScale;
  readonly attribute DOMString? receipt;
  readonly attribute USVString paymentPointer;
};

dictionary MonetizationEventInit : EventInit {
  required DOMString amount;
  required DOMString assetCode;
  required DOMString assetScale;
  required DOMString? receipt;
  required USVString paymentPointer;
};

8.1 amount attribute

The amount received as by an ILP packet. When getting, returns the value it was initialized with.

8.2 assetCode attribute

The three letter asset code describing the amount's units (e.g., "USD" for US dollars). When getting, returns the value it was initialized with.

8.3 assetScale attribute

The scale of the amount. For example, USD would have an assetScale of 2 when denominated in cents. When getting, returns the value it was initialized with.

8.4 receipt attribute

null or a base64-encoded STREAM Receipt issued by the monetization receiver to the monetization provider as proof of the total amount received in the stream. When getting, returns the value it was initialized with.

8.5 paymentPointer attribute

A URL representing a payment end-point. When getting, returns the value it was initialized with.

9. Permissions Policy integration

This specification defines a policy-controlled feature identified by the string "monetization"". Its default allowlist is 'self'.

Note

10. Content Security Policy

Note: Monkey patch 🐒

This section will eventually be moved into the [CSP] and [FETCH] specifications.

10.1 monetization-src directive

The monetization-src directive restricts the URLs from which a payment end-point is loaded. The syntax for the directive's name and value is described by the following ABNF:

directive-name  = "monetization-src"
directive-value = serialized-source-list

10.1.1 monetization-src Pre-request check

This directive's pre-request check is as follows:

Given a request (request) and a policy (policy):

  1. Let name be the result of executing "Get the effective directive for request" on request.
  2. If the result of executing "Should fetch directive execute" on name, monetization-src and policy is "No", return "Allowed".
  3. If the result of executing "Does request match source list?" on request, this directive's value, and policy, is "Does Not Match", return "Blocked".
  4. Return "Allowed".

10.1.2 monetization-src Post-request check

This directive's post-request check is as follows:

Given a request (request) and a policy (policy):

  1. Let name be the result of executing "Get the effective directive for request" on request.
  2. If the result of executing "Should fetch directive execute" on name, monetization-src and policy is "No", return "Allowed".
  3. If the result of executing "Does response to request match source list?" on response, request, this directive's value, and policy, is "Does Not Match", return "Blocked".
  4. Return "Allowed".

11. Security considerations

It is RECOMMENDED that a user agent provide some UI or indicator that allows the user to know when monetization is possible and/or when monetization is occurring. Providing such a UI allows the users to retain control of the monetization process by taking action (e.g., stop or start monetization of a particular site if they wish to do so).

As payment end-points are generally provided as a service (e.g., Uphold), a XSS attack could inject a malicious payment end-points into a page that uses the same service. To mitigate such an attack, it RECOMMENDED that developers:

12. Privacy considerations

Web monetization is designed to be privacy-preserving: The user agent does not send any data to the monetization provider. Instead, it requests data from the monetization provider without ever revealing the URL of the web page the user is currently browsing.

Further, the user agent gets the payment information from the payment end-point to establish the [STREAM] connection. This also ensures the monetization provider doesn't have access to a user's browsing history or to the payment end-point.

13. Relation to Web Payments

This section is non-normative.

Unlike Payment Request API and the Payment Handler API, Web Monetization is intended for continuous payments rather than discrete payments. Additionally, it is designed to not require any user interaction, serving as an alternative to traditional e-commerce checkout methods.

A. Conformance

As well as sections marked as non-normative, all authoring guidelines, diagrams, examples, and notes in this specification are non-normative. Everything else in this specification is normative.

The key words MUST, MUST NOT, and RECOMMENDED in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.

B. References

B.1 Normative references

[CSP]
Content Security Policy Level 3. Mike West. W3C. 29 June 2021. W3C Working Draft. URL: https://www.w3.org/TR/CSP3/
[dom]
DOM Standard. Anne van Kesteren. WHATWG. Living Standard. URL: https://dom.spec.whatwg.org/
[FETCH]
Fetch Standard. Anne van Kesteren. WHATWG. Living Standard. URL: https://fetch.spec.whatwg.org/
[HTML]
HTML Standard. Anne van Kesteren; Domenic Denicola; Ian Hickson; Philip Jägenstedt; Simon Pieters. WHATWG. Living Standard. URL: https://html.spec.whatwg.org/multipage/
[infra]
Infra Standard. Anne van Kesteren; Domenic Denicola. WHATWG. Living Standard. URL: https://infra.spec.whatwg.org/
[Interledger]
Interledger Protocol. URL: https://interledger.org/rfcs/0027-interledger-protocol-4/
[permissions-policy]
Permissions Policy. Ian Clelland. W3C. 16 July 2020. W3C Working Draft. URL: https://www.w3.org/TR/permissions-policy-1/
[Receipt]
STREAM Receipt. URL: https://interledger.org/rfcs/0039-stream-receipts/
[RFC2119]
Key words for use in RFCs to Indicate Requirement Levels. S. Bradner. IETF. March 1997. Best Current Practice. URL: https://www.rfc-editor.org/rfc/rfc2119
[RFC8174]
Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words. B. Leiba. IETF. May 2017. Best Current Practice. URL: https://www.rfc-editor.org/rfc/rfc8174
[SPSP]
Simple Payments Setup Protocol. URL: https://interledger.org/rfcs/0009-simple-payment-setup-protocol
[STREAM]
STREAM. URL: https://interledger.org/rfcs/0029-stream/
[url]
URL Standard. Anne van Kesteren. WHATWG. Living Standard. URL: https://url.spec.whatwg.org/
[webidl]
Web IDL Standard. Edgar Chen; Timothy Gu. WHATWG. Living Standard. URL: https://webidl.spec.whatwg.org/

B.2 Informative references

[Payment-Handler]
Payment Handler API. Adrian Hope-Bailie; Ian Jacobs; Rouslan Solomakhin; Jinho Bang; Jason Normore; Tommy Thorsen; Adam Roach. W3C. 4 October 2021. W3C Working Draft. URL: https://www.w3.org/TR/payment-handler/
[Payment-Request]
Payment Request API. Marcos Caceres; Rouslan Solomakhin; Ian Jacobs. W3C. 30 September 2021. W3C Proposed Recommendation. URL: https://www.w3.org/TR/payment-request/