Re: [w3c/webpayments] European market - Security concerns (#210)

@adamroach 
> The merchant app runs against its own origin. The payment app runs against its own origin, in a service worker. They exchange information with each other in a tightly-controlled fashion via the Web Payments API

I can't find any information in the current draft explaining these interactions.  Although I'm just guessing here it is not unimaginable that the Web Payment API could be abused.

> We don't dictate to them how they collect or store credentials; we allow and expect them to use the entire rich web platform to craft this according to their requirements and preferences. We are relying on the (easily demonstrable) fact that the platform already has affordances sufficient for this purpose.

Unfortunately your fellow Mozillians do not consider the Web platform (as shipping) suitable for credential storage: https://bugzilla.mozilla.org/show_bug.cgi?id=1065729#c262

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/webpayments/issues/210#issuecomment-283937788

Received on Friday, 3 March 2017 12:08:30 UTC