These sorts of API queries sound like a serious security flaw.
I'd think the merchant should just invoke the API and then continue on as if the API did not exist. If the API works, then it should shut down the merchant page completely, transferring the user to the payment mediator selector thing, which lets the user select the payment app, and transfers control there.
We should presumably let the back button work in the payment mediator of course, presumably restoring the previous merchant page, thus allowing them to present payment options in their old way.
In principle, a browser vender might wish the payment mediator to present itself in parallel with the existing page. I think that's rather dangerous because it'll push the evolution towards a flawed security mode, but it's not intrinsically broken.
---
You are receiving this because you commented.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/webpayments/issues/159#issuecomment-235549347