For a developer to build an app with in-app payments she currently has to 1. host a web server at some domain and 2. that server must accept HTTPS connections with a valid cert. She cannot use a self-signed cert.
Is it important enough for the developer ecosystem to relax this restriction and allow HTTP URLs? If a developer self-hosts their domain it is pretty costly to get an HTTPS cert and this would be a barrier to entry. Many services like Heroku, App Engine, OpenShift, etc, will provide HTTPS on a shared domain though. Why HTTPS? The restriction applies to when the Firefox Marketplace does a server to server post with a JWT containing the result of a purchase. This JWT is a blob of JSON that contains info about the product. It does *not* contain user data unless the developer put an email or something in the productData field but that would be weird. In raw form, the JWT is a base64 encoded string of JSON + a signature. Here's detailed info about how notifications work: https://developer.mozilla.org/en-US/docs/Apps/Publishing/In-app_payments#Processing_postbacks_on_the_server Example JWT that would be sent over the wire in plain text (after decoding it): { "iss": "marketplace.firefox.com", "aud": APPLICATION_KEY, "typ": "mozilla/payments/pay/postback/v1", "exp": 1337370900, "iat": 1337360900, "request": { "id": "915c07fc-87df-46e5-9513-45cb6e504e39", "pricePoint": 1, "name": "Magical Unicorn", "description": "Adventure Game item", "productData": "user_id=1234&my_session_id=XYZ", "postbackURL": "https://yourapp.com/payments/postback";, "chargebackURL": "https://yourapp.com/payments/chargeback"; }, "response": { "transactionID": "webpay:84294ec6-7352-4dc7-90fd-3d3dd36377e9" } } _______________________________________________ dev-webapps mailing list [email protected] https://lists.mozilla.org/listinfo/dev-webapps
