- From: Håvard Molland <notifications@github.com>
- Date: Thu, 17 Mar 2016 05:08:02 -0700
- To: w3c/browser-payment-api <browser-payment-api@noreply.github.com>
Received on Thursday, 17 March 2016 12:08:33 UTC
@msporny, @mountielee: The Browser API should be restricted to secure context only, and I don't believe we should enable the user to override this (apart from perhaps a low level flag for developers). If a MITM attacker can take control over the merchant site, the payment can be redirected to a different receiver such that the payment ends up at the attacker's account instead of the merchant's, or the attacker can simply trigger a via instrument and steal the details. Browsers have been trying to get rid for security overriding for years. They confuse users and teach them to ignore security warnings (and therefore it would affect security all over, not only for this spec). --- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/w3c/browser-payment-api/issues/22#issuecomment-197850125
Received on Thursday, 17 March 2016 12:08:33 UTC