Re: [webpayments] What gets registered - apps, wallets, or payment instruments? (#28)

I'd agree with registering only payment applications.  I'm concerned with what the payment applications reveal to the pages the user visits though, which I suppose goes here since the comment by @msporny impacts it.

Ideally, payment applications should not even be able to reveal that they're installed until the user selects them.  n particular, the payment applications should never learn that the user has visited a page selecting payment until the user selects that particular payment applications, as payment applications might have network access themselves.

We'll thus need some form of "payment application mediator" through which the user selects which payment application to use.  We cannot realistically ask the browser makers to provide this user-interface because merchants want to control the look and feel of their payment page, and browser makers dislike controlling the look and feel too much.

We could create a secure context in which the merchant may run javascript that:
- may only modify a small portion of the page on which it runs, and
- cannot communicate with the larger page it runs on, or the network, but
- has exclusive rights to read the registration data of payment applications and launch them.

There is an important side benefit of keeping the payment applications in the dark as long as possible:  If the payment applications cannot spy on the user, then they cannot annoy the user with ads, etc. either, making security software, ad blockers, users, etc. less likely to disable everything.  

I have not yet read the existing secure contexts stuff, but it's hopefully relevant:  https://w3c.github.io/webappsec-secure-contexts/ 

---
Reply to this email directly or view it on GitHub:
https://github.com/w3c/webpayments/issues/28#issuecomment-163893044