Add payeeName input to spec (#180)

Per the proposal in #163, add a payeeName field to the spec.

spec.bs

@@ -372,6 +372,7 @@ const request = new PaymentRequest([{
       icon: "https://fancybank.com/card-art.png",
     },
 
+    payeeName: "Merchant Shop",
     payeeOrigin: "https://merchant.com",
 
     timeout: 360000,  // 6 minutes
@@ -512,7 +513,8 @@ Add the following to the [=registry of standardized payment methods=] in
         required FrozenArray<BufferSource> credentialIds;
         required PaymentCredentialInstrument instrument;
         unsigned long timeout;
-        required USVString payeeOrigin;
+        DOMString payeeName;
+        USVString payeeOrigin;
         AuthenticationExtensionsClientInputs extensions;
     };
 </xmp>
@@ -540,9 +542,15 @@ members:
     :: The number of milliseconds before the request to sign the transaction
         details times out. At most 1 hour.
 
+    :  <dfn>payeeName</dfn> member
+    :: The display name of the payee that this SPC call is for (e.g., the
+        merchant). Optional, may be provided alongside or instead of
+        {{SecurePaymentConfirmationRequest/payeeOrigin}}.
+
     :  <dfn>payeeOrigin</dfn> member
     :: The [=/origin=] of the payee that this SPC call is for (e.g., the
-        merchant).
+        merchant). Optional, may be provided alongside or instead of
+        {{SecurePaymentConfirmationRequest/payeeName}}.
 
     :  <dfn>extensions</dfn> member
     :: Any [=WebAuthn extensions=] that should be used for the passed
@@ -562,15 +570,25 @@ input {{SecurePaymentConfirmationRequest}} |data|, are:
 1. If |data|["{{SecurePaymentConfirmationRequest/rpId}}"] is not a
     [=valid domain=], return `false`.
 
-1. Let |parsedURL| be the result of running the [=URL parser=] on
-    |data|["{{SecurePaymentConfirmationRequest/payeeOrigin}}"].
+1. If both |data|["{{SecurePaymentConfirmationRequest/payeeName}}"] and
+    |data|["{{SecurePaymentConfirmationRequest/payeeOrigin}}"] are omitted,
+    return `false`.
+
+1. If either of |data|["{{SecurePaymentConfirmationRequest/payeeName}}"] or
+    |data|["{{SecurePaymentConfirmationRequest/payeeOrigin}}"] is present and
+    empty, return `false`.
+
+1. If |data|["{{SecurePaymentConfirmationRequest/payeeOrigin}}"] is present:
 
-1. If |parsedURL| is failure, then return `false`.
+    1. Let |parsedURL| be the result of running the [=URL parser=] on
+        |data|["{{SecurePaymentConfirmationRequest/payeeOrigin}}"].
 
-1. If |parsedURL|'s [=url/scheme=] is not "`https`", then return `false`.
+    1. If |parsedURL| is failure, then return `false`.
 
-1. Set |data|["{{SecurePaymentConfirmationRequest/payeeOrigin}}"] to the
-    [=serialization of an origin|serialization of=] |parsedURL|'s [=url/origin=].
+    1. If |parsedURL|'s [=url/scheme=] is not "`https`", then return `false`.
+
+    1. Set |data|["{{SecurePaymentConfirmationRequest/payeeOrigin}}"] to the
+        [=serialization of an origin|serialization of=] |parsedURL|'s [=url/origin=].
 
 1. If |data|["{{SecurePaymentConfirmationRequest/instrument}}"]["{{PaymentCredentialInstrument/displayName}}"]
     is empty, return `false`.
@@ -620,7 +638,8 @@ Payment Confirmation payment handler=] is selected. However, so that a
 is communicated to the user and that the user's consent is collected for the
 authentication:
 
-* The {{CollectedClientAdditionalPaymentData/payeeOrigin}}.
+* The {{CollectedClientAdditionalPaymentData/payeeName}} if it is present.
+* The {{CollectedClientAdditionalPaymentData/payeeOrigin}} if it is present.
 * The {{CollectedClientAdditionalPaymentData/total}}, that is the
     {{PaymentCurrencyAmount/currency}} and {{PaymentCurrencyAmount/value}} of the
     transaction.
@@ -667,8 +686,12 @@ The [=steps to respond to a payment request=] for this payment method, for a giv
     :: |data|["{{SecurePaymentConfirmationRequest/rpId}}"]
     : {{AuthenticationExtensionsPaymentInputs/topOrigin}}
     :: |topOrigin|
+    : {{AuthenticationExtensionsPaymentInputs/payeeName}}
+    :: |data|["{{SecurePaymentConfirmationRequest/payeeName}}"] if it is
+        present, otherwise omitted.
     : {{AuthenticationExtensionsPaymentInputs/payeeOrigin}}
-    :: |data|["{{SecurePaymentConfirmationRequest/payeeOrigin}}"]
+    :: |data|["{{SecurePaymentConfirmationRequest/payeeOrigin}}"] if it is
+        present, otherwise omitted.
     : {{AuthenticationExtensionsPaymentInputs/total}}
     :: |request|.[=payment request details|[[details]]=]["{{PaymentDetailsInit/total}}"]
     : {{AuthenticationExtensionsPaymentInputs/instrument}}
@@ -756,6 +779,7 @@ directly; for authentication the extension can only be accessed via
       // Only used for authentication.
       USVString rp;
       USVString topOrigin;
+      DOMString payeeName;
       USVString payeeOrigin;
       PaymentCurrencyAmount total;
       PaymentCredentialInstrument instrument;
@@ -769,19 +793,22 @@ directly; for authentication the extension can only be accessed via
         <div class="note">**TODO**: Find a better way to do this. Needed currently because other members are auth-time only.</div>
 
       :  <dfn>rp</dfn> member
-      :: The [=Relying Party=] id of the credential(s) being used. Only valid at authentication time.
+      :: The [=Relying Party=] id of the credential(s) being used. Only used at authentication time; not registration.
 
       :  <dfn>topOrigin</dfn> member
-      :: The origin of the top-level frame. Only valid at authentication time.
+      :: The origin of the top-level frame. Only used at authentication time; not registration.
+
+      :  <dfn>payeeName</dfn> member
+      :: The payee name, if present, that was displayed to the user. Only used at authentication time; not registration.
 
       :  <dfn>payeeOrigin</dfn> member
-      :: The payee origin that was displayed to the user. Only valid at authentication time.
+      :: The payee origin, if present, that was displayed to the user. Only used at authentication time; not registration.
 
       :  <dfn>total</dfn> member
-      :: The transaction amount that was displayed to the user. Only valid at authentication time.
+      :: The transaction amount that was displayed to the user. Only used at authentication time; not registration.
 
       :  <dfn>instrument</dfn> member
-      :: The instrument details that were displayed to the user. Only valid at authentication time.
+      :: The instrument details that were displayed to the user. Only used at authentication time; not registration.
 
     </dl>
 
@@ -844,8 +871,12 @@ directly; for authentication the extension can only be accessed via
                 :: |extension_inputs|["{{AuthenticationExtensionsPaymentInputs/rp}}"]
                 : {{CollectedClientAdditionalPaymentData/topOrigin}}
                 :: |extension_inputs|["{{AuthenticationExtensionsPaymentInputs/topOrigin}}"]
+                : {{CollectedClientAdditionalPaymentData/payeeName}}
+                :: |extension_inputs|["{{AuthenticationExtensionsPaymentInputs/payeeName}}"]
+                    if it is present, otherwise omitted.
                 : {{CollectedClientAdditionalPaymentData/payeeOrigin}}
                 :: |extension_inputs|["{{AuthenticationExtensionsPaymentInputs/payeeOrigin}}"]
+                    if it is present, otherwise omitted.
                 : {{CollectedClientAdditionalPaymentData/total}}
                 :: |extension_inputs|["{{AuthenticationExtensionsPaymentInputs/total}}"]
                 : {{CollectedClientAdditionalPaymentData/instrument}}
@@ -881,7 +912,8 @@ The {{CollectedClientPaymentData}} dictionary inherits from
     dictionary CollectedClientAdditionalPaymentData {
         required USVString rp;
         required USVString topOrigin;
-        required USVString payeeOrigin;
+        DOMString payeeName;
+        USVString payeeOrigin;
         required PaymentCurrencyAmount total;
         required PaymentCredentialInstrument instrument;
     };
@@ -897,8 +929,11 @@ fields:
     :  <dfn>topOrigin</dfn> member
     :: The origin of the top level context that requested to sign the transaction details.
 
+    :  <dfn>payeeName</dfn> member
+    :: The name of the payee, if present, that was displayed to the user.
+
     :  <dfn>payeeOrigin</dfn> member
-    :: The origin of the payee that was displayed to the user.
+    :: The origin of the payee, if present, that was displayed to the user.
 
     :  <dfn>total</dfn> member
     :: The {{PaymentCurrencyAmount}} of the [[payment-request]] `total` field.
@@ -1014,8 +1049,11 @@ Confirmation, the [=Relying Party=] MUST proceed as follows:
         * Verify that the value of |C|["{{CollectedClientPaymentData/payment}}"]["{{CollectedClientAdditionalPaymentData/topOrigin}}"]
             matches the top-level origin that the [=Relying Party=] expects.
 
+        * Verify that the value of |C|["{{CollectedClientPaymentData/payment}}"]["{{CollectedClientAdditionalPaymentData/payeeName}}"]
+            matches the name of the payee that should have been displayed to the user, if any.
+
         * Verify that the value of |C|["{{CollectedClientPaymentData/payment}}"]["{{CollectedClientAdditionalPaymentData/payeeOrigin}}"]
-            matches the origin of the payee that should have been displayed to the user.
+            matches the origin of the payee that should have been displayed to the user, if any.
 
         * Verify that the value of |C|["{{CollectedClientPaymentData/payment}}"]["{{CollectedClientAdditionalPaymentData/total}}"]
             matches the transaction amount that should have been displayed to the user.
@@ -1195,7 +1233,7 @@ transaction details that are shown to the user:
 
 * Transaction amount and currency
 * Payment instrument name and icon
-* Payee origin
+* Payee name and origin
 
 This could lead to a spoofing attack, in which a merchant presents incorrect
 data to the user. For example, the merchant could tell the bank (in the