Re: [w3c/browser-payment-api] Send HTMLIFrameElement.allowPaymentRequest to HTML spec (#311)

Do you mean a permission request akin to geolocation? We don't plan to use that for web payments, because geolocation permission allows polling user's location in background, which we do not want for payments. User should approve every transaction. There's only one approval screen, which shows the hostname of the top level context. This screen might also show the hostnames of the embedded iframes, but this security UX should be left to implementers to decide.

If any user agent implements "approve once, pay multiple times" behavior, I would imagine that they request the permission only once. The permission dialog would again state the top level context hostname, in all likelihood. 

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/browser-payment-api/issues/311#issuecomment-261797402

Received on Sunday, 20 November 2016 19:00:49 UTC