Re: [browser-payment-api] Spec should use [SecureContext] once that is defined in Web IDL (#22) from Håvard Molland on 2016-03-17 (public-webpayments-specs@w3.org from March 2016)

From: Håvard Molland <notifications@github.com>
Date: Thu, 17 Mar 2016 05:08:02 -0700
To: w3c/browser-payment-api <browser-payment-api@noreply.github.com>
Message-ID: <w3c/browser-payment-api/issues/22/197850125@github.com>

@msporny, @mountielee: The Browser API should be restricted to secure context only, and I don't believe  we should enable the user to override this (apart from perhaps a low level flag for developers). If a MITM attacker can take control over the merchant site, the payment can be redirected to a different receiver such that the payment ends up at the attacker's account instead of the merchant's, or the attacker can simply trigger a via instrument and steal the details.

Browsers have been trying to get rid for security overriding for years. They confuse users and teach them to ignore security warnings (and therefore it would affect security all over, not only for this spec). 


---
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/browser-payment-api/issues/22#issuecomment-197850125

Received on Thursday, 17 March 2016 12:08:33 UTC