- From: Adrian Hope-Bailie <notifications@github.com>
- Date: Fri, 22 Nov 2019 03:36:12 -0800
- To: w3ctag/design-reviews <design-reviews@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <w3ctag/design-reviews/issues/427/557499296@github.com>
@hober IMO concerns about phishing native UI are unfounded. It seems trivial for browsers to implement modal windows in such a way that they cannot be mistaken for native UI by doing simple things like showing an address bar at the top of the window. To use @marcoscaceres example, a native UI would replace that bar at the top with something that can only be rendered by the platform. ![](https://user-images.githubusercontent.com/870154/37321106-f0577f1c-26ca-11e8-86e5-c7f91eb7c16f.png) What is stopping a website from using a pop-up today that renders as close as possible to an Apple Pay sheet? This is arguably even more confusing since the `window.open` API provides the caller even more control over the look and feel that we would want to give a modal window caller. I'm not sure how the answer to Q11 can be changed to provide any information that isn't already there? The proposal is to give the calling site the ability to create a new context but not have any control over how it is rendered. The influence the caller has is the modality of the new context, so by calling the API they effectively make their own context non-interactive. With PH API the calling context has indirect control over the URL that is rendered inside that context (i.e. it specifies which payment methods are supported and the user selects a payment handler to invoke that supports that payment method) but has no control over the size or position of the window or what is rendered around it to flag to the user that it's a Payment Handler context. > Don't you anticipate browsers having to take similar measures for modal windows? If not, why not? Not at the API level, no. The way browsers render modal windows should handle this as I describe above. I'd also note that "native UI" is rare (the Apple Pay sheet is unique to Safari) so it would be useful to enumerate what native UI you consider at risk of being spoofed. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/w3ctag/design-reviews/issues/427#issuecomment-557499296
Received on Friday, 22 November 2019 11:36:14 UTC