Integrating Retailer Shopping Carts with Sparkle by Group Nine Media

Amazon Sparkle

Introduction

As the ecommerce landscape evolves, shoppers have raised their expectations of online shopping experiences, and are easily discouraged by burdensome process flows which force multiple clicks, page loads and forms. This is especially true as more eCommerce moves to mobile where conversion is even more dependent upon ease of use of the interface.

One way leading online retailers (Amazon, Walmart, BestBuy) have addressed this issue is by providing 3rd Party Cart APIs for their affiliates and advertisers. This allows the customer to make a buying decision on a partner’s website, and then directly add that product (or multiple products) to their shopping cart. If the customer happens to already be authenticated with the destination site, they can be taken directly to the checkout page where they can review the contents of their cart. This works equally well for anonymous carts, since each retailer has already optimized the login or signup process for that case.

Sparkle, from Group Nine Media, has integrated with several different retailer’s checkout and cart APIs to create a mobile optimized shopping experience easily accessible from the web pages and social feeds of POPSUGAR, Thrillist and The Dodo. This document describes a number of different approaches to providing a shared checkout API and discusses the drawbacks and advantages of each one.

GET Cart with SKUs

This is by far the simplest implementation for a 3rd party application or website to use, but may present special challenges to the retailer. Amazon, Walmart, and BestBuy all support this type of request through their affiliate accounts. It allows any site to create a link on a web page which includes the product SKU(s). For Amazon and Walmart, clicking on that link takes the user to a landing page on the retailer’s site which lists the products, and confirms that the user wants to add them to the cart. For Best Buy, you are taken directly to the cart, but they currently only allow 1 product to be added in a single request.

A couple considerations for the retailer who wishes to implement this mechanism. Without the confirmation page, it’s possible for malevolent bots or other ill-willed systems to flood your site with anonymous cart creation. Assuming anonymous carts are a free resource and/or are garbage collected on a regular basis, this may not be a concern. The retailer does have to decide how to deal with inventory counts, and whether an item in an anonymous cart should count against available inventory. Analyzing cart abandonment rates may justify waiting for customer authentication or account creation before decreasing available inventory.

GET/POST Add-to-Cart

Another option we’ve seen implemented is items are added to a cart via a get or post request usually specifying an SKUs and counts. GET requests are convenient since they don’t require explicit CORS permissions, though it’s possible for the server implementation to allow any domain for POST requests. Once again, the implementation needs to be able to scale anonymous cart creation.

Even with strong CORS controls, retailers have the option of adding “sparkle.groupninemedia.com” to their “allowed origin” list and responding to the browser to allow the POST operation.

Typically on the first request, the response will return a cart cookie, which is then extracted on all following requests.

The War on 3rd Party Cookies

Unfortunately, in order to address concerns with privacy around 3rd party tracking, many browsers have built restrictions around cookie management which can undermine our 3rd party cart implementation. Safari will not allow any 3rd cookies to be created until the user has made a “first class” visit to the website. Chrome currently allows the cookies to be created, but does not allow the current site any visibility to those cookies or the return values of the request. Google has announced they plan to further restrict this behavior in the future.

There still exists one simple work-around to this problem which we will call the “Cookied-Redirect”. In short, since Safari requires the user to visit the site before cookies can be created, the retailer can set up a redirect endpoint, which adds a cookie to a 302 response which sends the browsers back to the original page. For example:

https://store.acme.com/redirect?url=https://sparkle.popsugar.com/app/xxxxxxx/embed

Safari will consider this a true visit to the acme.com web site, and all future GET and POST requests will now be able to successfully create cookies, thus solving our cart identification problem.

To avoid an Open Redirect Vulnerability, retailers will want to limit the redirect to partner domains which are integrating their cart apis.

Imagine There’s no 3rd Party

So there is one other potential trick to avoid the CORS and 3rd Party Cookie issues. If (and only if) the retailer’s cookies are mapped to the global domain and not a particular host. For instance, if cookie values are scoped to: acme.com and NOT store.acme.com, the browser will allow them when Sparkle uses its domain whitelabling feature: sparkle.acme.com. This will mean the cart cookies can be easily shared between the two sites without requiring any redirects. This will prevent CORS cross-domain issues, since the sites are on the same domain.

The downside here is the need to manage SSL certificates for the server. Either the retailer will need to issue a certificate for the sparkle web server, or if the retailer uses a Load Balancer to terminate the SSL connection, the requests could then be proxied back to Sparkle. In either case, this will still require some configuration by the retailer’s IT group.

Backend Authenticated Shopping API

If none of the above solutions are acceptable, the last option is to create an authenticated Shopping API, if one doesn’t already exist. This addresses most of the security concerns mentioned above, but may be a significant larger lift for the retailer’s ecommerce engineering team if an existing API isn’t already in place.

In this model, the Sparkle server makes all the cart requests on behalf of the user. This prevents the authentication key from being exposed in Javascript on the browser.

The API requirements here are

  1. Get product information from a retailer product page URL
  2. Create a Shopping Cart and return a unique id for that cart
  3. Add a product to the above cart
  4. Provide and endpoint to initiate the retailer checkout experience given a unique cart id

It may be possible to combine 2 & 3 into a single request that creates a new cart if a cart id isn’t specified. Another option is to combine 2, 3 & 4 by passing all the SKU’s and quantities in a single request and have the response be a redirect to the retailer checkout page. Note, we’ve come full circle now back to the public GET implementation we started with, though by making this an authenticated API call, the retailer is better protected from malevolent anonymous cart creation.

Product Information API

The last component needed for optimal Sparkle integration is a good product query API. Most retailers already have this in place since it’s usually a necessary component for building a shoppable retailer website, but the API isn’t necessarily public or easily accessed by 3rd parties.

For completeness, the key product data requirements for Sparkle are:

  1. Product and Variant SKUs
  2. Product and Variant Images
  3. Variant Types (size, color, etc..)
  4. Swatches for color/pattern Variants
  5. Variant Display Descriptions (“Sky Blue” vs “skyblue”)
  6. Inventory and/or availability

Ideally, the retailer product page URL (or some portion of the URL) can be used to query the API. Depending upon the number of variants of a particular product, multiple requests may be needed to retrieve the data. Often, all the information needed is already available in a JSON object on the product page and the simplest solution may be for Sparkle to simply extract that.

Conclusion

While allowing third party cart API integration may not be a trivial endeavor for an online retailer, it’s obvious the market leaders and early adopters have seen the value in doing so. This is becoming even more important as younger consumers are learning to expect shopping seamlessly integrated into their media consumption and social experiences. The audience drawn to the Group Nine Media properties is very mobile savvy and depends upon our Brands to lead them to equally savvy retailers.

This article originally appeared at https://engineering.popsugar.com/retailer-shopping-cart-integration-with-sparkle-47160371 on Jan 29th, 2020.

Intel CPU Info tool.

Cool geekware to tell you about your CPU: http://www.cpuid.com/downloads/cpu-z/1.55-setup-en.exe. Be sure to disable the evil Ask toolbar window from the install wizard.

Allway Sync now supports Amazon S3

So I’ve been using AllWay Sync tool for a couple  years now to keep laptops synchronized (free for home use).   I recently downloaded the latest version to help me back up the HTPC harddisk before pulling it out and moving it to the ReadyNAS NV+ as an iSCSI device (a story for another time).    In the back of my mind, I’ve also been contemplating various offsite backup strategies.    My photo and home video collection is nearing 1TB, and after seeing the San Mateo gas fire, I’m a little more motivated to get those offsite.

It turns out the latest version of AllWay now supports Amazon S3!  This basically gives you an unlimited storage solution for $1.20$1.11/GB/yr using S3 RRS.    Or $10 $9 a month for a TB of backup.   The beauty is you only pay for what you use, so 250GB is only $2.50 $2.25 a month, or $27/yr.  The AllWay tool can do scheduled synchronizations and after the initial sync, it only pushes new files and deletions.

Now the Internet backup providers like Carbonite are running right as low as $55/yr for unlimited backup, so you may be able to pay a little less for a more feature rich solution if you are over .5TB but if you have multiple PC’s (or a NAS).   That said $55/yr only gets you 1 PC and I don’t know if it will backup network shares.  Furthermore they don’t recommend the $55 solution for anyone with more than 200GB.  In fact, in their FAQ they mention something about bandwidth throttling at 35 and 200 gig.

Finally, Amazon has been consistently dropping the price on S3 storage every year, so it will only get cheaper.    Allway includes integration with Windows Task Manager, so scheduled backups are a breeze.   As soon as I get all the drives reorganized, this is definitely the next task on the list.

More CPU Envy

So just completed the configuration of my new Dell M4500.

  • Intel i7 Q72o @ 1.60GHz (not the fastest i7, but uses the least power)
  • 8GB memory
  • 60GB SSD drive
  • 500GB HD
  • Windows 7 Ultimate, 64 bit

The machine measures twice as fast as my old 4300 and the i7 excels at running VMWare machines. (Task Manager shows 8 CPUs: 4 hyperthreaded cores)  Add the SSD for the OS, and you’re not waiting for anything.   Furthermore, with a 64bit OS,  I now have 4G allocated to each 32 bit VM and they run like they are native.    Other nice touches are the back lit keyboard, wireless-N card and external SATA port.

My only complaint is the camera built into the screen is always pointed at you. I’d prefer it had a some sort of physical lens cap.

Nice big keyboard with three mouse buttons above and below the pad.

The WEI score is 6.5 due to I didn’t bother with the high end graphics card. Processor and SSD come in at 7.0 and 7.3. 7.9 is the highest score possible, don’t ask me why…

Mean looking charcoal black case

BTW: The upgrade to the latest BIOS from Dell seemed to solve the BSOD problem I saw a couple times.    Haven’t seen it since.

Hmm… Tool Porn

So about 10 years ago I picked up a 16.8v cordless drill/flashlight combination for something like $29.99.    Worked great for a few years when one of the batteries stopped taking a charge.   Went back to Sears only to discover they no longer made any 16.8V devices.    Looked on Ebay & Amazon and they wanted $49 for a used battery, and $100 for a new one.   So I went back to sears.com and started looking for a new drill.   Of course, little did I know I was going to stumble upon this for $299 (free shipping):

Not only did it replace the drill and flashlight along with 4 other tools, it also comes with 3 batteries and the rolling toolbox.   Great addition to the Home Theater installation shop on wheels.  A quick look inside the box:

The first level holds the drills and light.

The second level has the three saws.   The only think missing was a hammer drill for installing TV mounts on brick fireplaces.    So I added one of those as well.

Finally, to top this all off, I also picked up an gorgeous Hammerhead LX stainless steel toolbox off of Craigslist.  (This is what the Siren Padlock in the first picture is for)  Unfortunately, the company went out of business, but I managed to pull some info out of the google cache:

Width: 41-3/16″ (46″ including side handles)
Height: 61.5″ (55-1/2″ without casters)
Depth: Top 17.5″ (18.25″ with drawer pulls)
Bottom 18.0″ (18.75″ with drawer pulls)Net Weight Top Chest: 169 lbs.
Net Weight Bottom Roller Cabinet: 262 lbs
Total Net Weight: 431 lbs

Inner Dimensions:

TOP CHEST:

Lid: 41-3/16″ W x 15-3/8″ D x 2-1/4″H
Tray beneath Lid: 41-3/16″ W x 15-3/8″ D x 2-1/2″ H
total internal area of lid is 41-3/16″ W x 15-3/8″ D x 4-3/4″ H

Left bank of drawers on Top Chest, from top to bottom:

1. 22-1/2″ W x 16-5/8″ D x 2-3/8″ H
2. 22-1/2″ W x 16-5/8″ D x 2-3/8″ H
3. 22-1/2″ W x 16-5/8″ D x 2-3/8″ H
4. 22-1/2″ W x 16-5/8″ D x 2-3/8″ H
5. 22-1/2″ W x 16-5/8″ D x 2-3/8″ H

Right bank of drawers on Top Chest, from top to bottom:

1. 12-3/8″ W x 16-5/8″ D x 2-3/8″ H
2. 12-3/8″ W x 16-5/8″ D x 12″ H (will accommodate hanging file folders)

BOTTOM ROLLER CABINET:

Left Bank of drawers on Bottom Roller Cabinet, from top to bottom:

1. 22-1/2″ W x 16-5/8″ D x 5-1/8″ H
2. 22-1/2″ W x 16-5/8″ D x 2-3/8″ H
3. 22-1/2″ W x 16-5/8″ D x 2-3/8″ H
4. 22-1/2″ W x 16-5/8″ D x 2-3/8″ H
5. 22-1/2″ W x 16-5/8″ D x 5-1/4″ H
6. 22-1/2″ W x 16-5/8″ D x 8-5/8″ H

Right Bank of Drawers on Bottom Roller Cabinet, from top to bottom:

1. 12-3/8″ W x 16-5/8″ D x 5-1/8″ H
2. 12-3/8″ W x 16-5/8″ D x 2-3/8″ H
3. 12-3/8″ W x 16-5/8″ D x 2-3/8″ H
4. 12-3/8″ W x 16-5/8″ D x 2-3/8″ H
5. 12-3/8″ W x 16-5/8″ D x 5-1/4″ H
6. 12-3/8″ W x 16-5/8″ D x 8-5/8″ H

Total cubic inches of internal storage space is 25,555 cu. in.

Dimensions of Side handles:

Top: 9-3/8″ Long x 2-3/8″ Deep
Bottom: 9-1/2″ long x 2-3/8″ deep
Side handles are 1″ thick extra heavy duty 12 gauge Stainless Steel.

Casters:
Including caster bracket: 6-1/4″ high
caster: 5″ diameter x 1-1/2″ thick

Note that two casters have brakes (shown on left side of chest)

Stays: The bottom roller cabinet has corner stays to prevent the top chest from sliding off. The stays measure 5/8″ high x 1″ wide and wrap around the corner on all four sides.

Too bad they are gone. They look like they had some nice stuff:

Dual Boot Andriod and Windows Mobile

It looks like there’s a ROM download to allow an HTC Touch Pro 2 (Tilt 2 for AT&T customers) to dual boot both WM 6.5 and Android.
http://pocketnow.com/tweaks-hacks/android-update-on-the-touch-pro2-it-rocks
There is the potential to brick the phone, so I think I’ll wait a while before trying it.

RadioParadise High Fidelity Streams

So RadioParadise turned off their 192K MP3 stream in favor of  Octoshape, a peer-to-peer Windows Media Player plugin to get RadioParadise in 192k format, unfortunately I experienced quite a few drop outs and choppy sound.    Possibly there aren’t enough users yet to get critical mass.  Interestingly, Comcast took down the FAQ which claimed they don’t interfere with P2P traffic.   The FCC came down on them for doing this last year, but with everything they are doing to fight the Net Neutrality movement, I wouldn’t put it past them.   I switched to the 128K ACC+ stream with the Orban plugin.   No drop outs and the quality sounds pretty good.   Note that ACC+ received a much higher quality rating than MP3 on the MUSHRA score.

About Mike Patnode

Professional Info

I’m basically a Unix hack who taught himself Security, Java, and various Web technologies, only to get sucked into management positions after spending any amount of time at a company.  You can find out a little more about me here as well as on LinkedIn.   I also spent some time developing network video protocols with the X Consortium, but since working with the Certificate Server group at Netscape, I’ve been unable to fully escape the security world.

I’ve helped write a couple blog entries for Centrify, one about OpenSSH and another about MIT Kerberos Integration.

If you’re really a glutton for punishment, you can watch me talk about Unix Service Accounts, Active Directory Groups and Unix Identity Management.

Finally, for the complete diehards, there’s a 60 minute webinar on Migration NIS and NIS+ Users to Active Directory.

Personal Info

I ride a BMW K75 motorcycle and still change my own oil on all my vehicles.    I’ve been a Miami Dolphins fan since I was a little kid (no connection to Florida, so I can’t really explain why) but loyalty has kept me with the team through thick and thin.   Luckily, after a long dry spell, the team is looking a little better.     Living in California, I take full advantage of the wine country, and built a wine cellar under my stairwell to help leverage that.   I also installed my own home theater system, including pulling all the wires through the walls.  That continues to be a hobby/time sink, though mostly due to trying to arm-twist Windows Media Center into the entertainment experience I’m looking for.

If I had more time, I’d be playing more poker (not online!) and beach volleyball (definitely not online!).   The free time I do have gets wasted on Science Fiction.   Lately Peter Hamilton, Iain Banks and Neal Asher.

I have a lovely daughter and wife (that’s me, not my wife…)

I can be reached at mike(at)mpsharp.com