W3C home > Mailing lists > Public > public-webappsec@w3.org > October 2015

Security Review of the Google Web Payment API Proposal

From: Anders Rundgren <anders.rundgren.net@gmail.com>
Date: Wed, 14 Oct 2015 09:01:35 +0200
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <561DFDCF.6030908@gmail.com>
A review has been requested:
https://lists.w3.org/Archives/Public/public-webpayments-ig/2015Sep/0089.html

This seems to be the most current write-up:
https://github.com/WICG/paymentrequest/blob/master/explainer.md

SOP Compliance:
===============
As described by Alex Russel in the (in)famous SOP questioning thread:
  "ensure that SOP is enforced through the browser by making the payment
   mechanisms a browser-mediated conversation, allowing interposition of
   user consent to information sharing"

Translated into normal language this possibly means that it is the user who
unilaterally decides if they want to deal with "evilmerchant.com" or not.
Presumably only the HTTPS server-certificate needs to be genuine.

Native Level Access:
=====================
The proposal talks about native level access including systems like Apple Pay.

No specific solution has yet been presented but I assume that Google is considering the
same mechanism as I envisioned for the more universal navigator.nativeConnect() API,
which simply is reusing the since ages ago established IPC (Inter Process Communication)
systems which enable secure communication between end-points within an
operating system environment.

Payment Transaction Security:
=========================
N/A

Cheers,
Anders
Received on Wednesday, 14 October 2015 07:02:12 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:15 UTC