@adamroach, to be clear, the "origin" is optional above - and would be for those who want to have a 1-to-1 relationship ("bobpay.com" === "exclusively registered https://bobpay.com"). And it saves the hassle of having to use web crypto.
And, you could still have multiple registered payment handlers of "Bitcoin", for instance: bad-actor.com and goodbitcoin.com. Using the web crypto approach, "bad-actor.com" would not be able to decrypt "goodbitcoin.com"'s `.data`.
Lastly, we can assure that the standardized payment methods (e.g., basic-card) should not have leaky `.data` members. This assures that when the event is received by a malicious service worker, it can't gather any information about where the request came from or any private data.
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/webpayments-payment-apps-api/issues/99#issuecomment-276275953
Received on Tuesday, 31 January 2017 05:04:40 UTC