- From: Anders Rundgren <anders.rundgren.net@gmail.com>
- Date: Tue, 1 Sep 2015 07:29:06 +0200
- To: Tony Arcieri <bascule@gmail.com>
- Cc: "public-web-security@w3.org" <public-web-security@w3.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On 2015-09-01 07:16, Tony Arcieri wrote: <snip> > > > Since neither You nor Google/Microsoft/Apple/Mozilla/Whatever haven't told us anything on how *they* think that any number of unrelated merchants should/could get access to a client's payment resources on Web, we are apparently awaiting "Divine Intervention" :-) > > > I like the idea of Stripe-style payment widgets. These allow payment tokens to be provisioned on a particular origin, and payments made via JS/communicating iframes. Stripe is apparently hoping to become a super-provider. Unless they succeed with that, their solution is dead in water. That's the core I (apparently in vain) tried to outline in my original posting. Anders > > There are obviously a lot of unsolved concerns around this approach, particularly around things like secure content embedding, phishing, clickjacking, etc. The Position Observer API proposal looks interesting in that regard: > > https://github.com/slightlyoff/PositionObserver/blob/master/explainer.md > > -- > Tony Arcieri
Received on Tuesday, 1 September 2015 05:29:47 UTC