Re: [w3c/webpayments] [Payment Request] Should we allow a "polling" mechanism for websites to not invoke the API if there are no enabled methods (#159) from Jeff Burdges on 2016-07-27 (public-payments-wg@w3.org from July 2016)

From: Jeff Burdges <notifications@github.com>
Date: Wed, 27 Jul 2016 03:36:28 -0700
To: w3c/webpayments <webpayments@noreply.github.com>
Cc: webpayments <public-payments-wg@w3.org>, Comment <comment@noreply.github.com>
Message-ID: <w3c/webpayments/issues/159/235549347@github.com>

These sorts of API queries sound like a serious security flaw.  

I'd think the merchant should just invoke the API and then continue on as if the API did not exist.  If the API works, then it should shut down the merchant page completely, transferring the user to the payment mediator selector thing, which lets the user select the payment app, and transfers control there.  

We should presumably let the back button work in the payment mediator of course, presumably restoring the previous merchant page, thus allowing them to present payment options in their old way.

In principle, a browser vender might wish the payment mediator to present itself in parallel with the existing page.  I think that's rather dangerous because it'll push the evolution towards a flawed security mode, but it's not intrinsically broken. 

---
You are receiving this because you commented.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/webpayments/issues/159#issuecomment-235549347

Received on Wednesday, 27 July 2016 10:37:24 UTC