- From: Adrian Hope-Bailie <notifications@github.com>
- Date: Wed, 09 Dec 2015 09:57:56 -0800
- To: w3c/webpayments <webpayments@noreply.github.com>
- Cc: webpayments <public-payments-wg@w3.org>
Received on Wednesday, 9 December 2015 17:58:55 UTC
> Why do you feel that the endpoint is required to be the same as the origin? I could imagine a payment app development house providing lots of different payment apps for mom and pop (e.g., smaller) retailers. Payment-Apps-R-Us would be the origin of the app and might even act as an aggregator or something, but the endpoint is www.bobs-groceries-and-gas.com/app/ To preserve SOP and security I'd recommend that when the UA does a POST to the URI that hosts the payment app it should be to the same origin that registered the app. In this case either Payment-Apps-R-Us hosts the endpoint (most likely as they'd deal with the security aspects of doing this as well as developing the apps themselves, likely business for PSPs) or they provide the app to Bob's to both host and install. --- Reply to this email directly or view it on GitHub: https://github.com/w3c/webpayments/issues/14#issuecomment-163340376
Received on Wednesday, 9 December 2015 17:58:55 UTC