RE: Seeking feedback on "user consent" text in Web Payments Working Group specification from Adrian Bateman on 2016-10-07 (public-privacy@w3.org from October to December 2016)

From: Adrian Bateman <adrianba@microsoft.com>
Date: Fri, 7 Oct 2016 18:14:16 +0000
To: Mike O'Neill <michael.oneill@baycloud.com>, 'Ian Jacobs' <ij@w3.org>, "public-privacy@w3.org" <public-privacy@w3.org>
CC: 'Adam Roach' <abr@mozilla.com>, "'Telford-Reed, Nick'" <Nick.Telford-Reed@worldpay.com>, 'Adrian Hope-Bailie' <adrian@ripple.com>
Message-ID: <BLUPR0301MB152238BAC6E2AE925DEEC6A0D3C60@BLUPR0301MB1522.namprd03.prod.outlook.>

> On Fri, Oct 07, 2016 at 06:42:59, Mike O'Neill wrote:
> I wonder if the "allowpaymentrequest" attribute on an iframe is
> sufficient to stop rogue script dynamically creating iframes which
> present bogus payment requests to the user. Maybe a CSP directive would
> work here, or at least block payment requests from iframes when the top
> level context is not secure.

iframes for which the top level context is not secure are not Secure Contexts
and so the PaymentRequest API isn't available.

Received on Friday, 7 October 2016 18:15:14 UTC