- From: Anders Rundgren <anders.rundgren.net@gmail.com>
- Date: Wed, 14 Oct 2015 09:01:35 +0200
- To: "public-webappsec@w3.org" <public-webappsec@w3.org>
A review has been requested: https://lists.w3.org/Archives/Public/public-webpayments-ig/2015Sep/0089.html This seems to be the most current write-up: https://github.com/WICG/paymentrequest/blob/master/explainer.md SOP Compliance: =============== As described by Alex Russel in the (in)famous SOP questioning thread: "ensure that SOP is enforced through the browser by making the payment mechanisms a browser-mediated conversation, allowing interposition of user consent to information sharing" Translated into normal language this possibly means that it is the user who unilaterally decides if they want to deal with "evilmerchant.com" or not. Presumably only the HTTPS server-certificate needs to be genuine. Native Level Access: ===================== The proposal talks about native level access including systems like Apple Pay. No specific solution has yet been presented but I assume that Google is considering the same mechanism as I envisioned for the more universal navigator.nativeConnect() API, which simply is reusing the since ages ago established IPC (Inter Process Communication) systems which enable secure communication between end-points within an operating system environment. Payment Transaction Security: ========================= N/A Cheers, Anders
Received on Wednesday, 14 October 2015 07:02:12 UTC