Re: [w3c/webpayments] European market - Security concerns (#210)

@cyberphone --

> - Where (and how) is SOP overridden? ServiceWorkers do that? IFRAME does the trick?

The merchant app runs against its own origin. The payment app runs against *its* own origin, in a service worker. They exchange information with each other in a tightly-controlled fashion via the Web Payments API. The model here is very similar to [Web Messaging](https://html.spec.whatwg.org/multipage/comms.html#web-messaging) and [Foreign Fetch](https://developers.google.com/web/updates/2016/09/foreign-fetch).

> - Where (and how) are payment credentials stored?

This is handled the same way as it is today: cookies, IndexedDB, or local storage. It is entirely up to the app to use one or more of these technologies in whatever way it sees fit. Storage on the back-end is entirely up to the payment provider. There are also touchpoints with things like [WebAuth](https://www.w3.org/TR/2016/WD-webauthn-20161207/) and the emerging [Credential Management API](https://w3c.github.io/webappsec-credential-management/).

Most importantly, this is out of scope for the work we're doing. The WebPayments working group is defining a new capability that allows developers to create Web Apps that can provide payments. We don't dictate to them how they collect or store credentials; we allow and expect them to use the entire rich web platform to craft this according to their requirements and preferences. We are relying on the (easily demonstrable) fact that the platform already has affordances sufficient for this purpose.

> - How do you perform cryptographic operations in payment apps?

[WebCrypto](https://www.w3.org/TR/2016/PR-WebCryptoAPI-20161215/).

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/webpayments/issues/210#issuecomment-283127046