- From: ianbjacobs <notifications@github.com>
- Date: Tue, 21 Apr 2020 15:18:51 -0700
- To: w3c/webpayments <webpayments@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Tuesday, 21 April 2020 22:19:05 UTC
@ianbjacobs commented on this pull request.
> @@ -149,6 +150,10 @@ <h2>
cards (e.g., business and personal) belong to the same individual, the
user should make use of two profiles.
</li>
+ <li>Although "private browsing mode" may help mitigate some of the
+ threats described here, we do not consider it a sufficient mitigation
+ strategy.
+ </li>
<li>Most browsers are moving in the direction of double-keyed
partitioning, whatever the storage mechanism.
Hi @danyao,
I had understood that there is a goal for double-keyed partitioning in other storage mechanisms as well. If the mechanisms are, in some cases, interchangeable it's not clear why one would be allowed to have more power than others. I could be wrong and so I'll ask around again.
The relevance of the comment is not obvious. Would this replacement be more appropriate:
"We expect browsers to move in a direction where mechanisms used for cross-origin communications, such as iframes, popups, and payment hanadlers, to have those mechanisms open in a third party context by default."
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/webpayments/pull/253#discussion_r412530236
Received on Tuesday, 21 April 2020 22:19:05 UTC