- From: Jeff Burdges <notifications@github.com>
- Date: Thu, 31 Mar 2016 06:38:21 -0700
- To: w3c/browser-payment-api <browser-payment-api@noreply.github.com>
Received on Thursday, 31 March 2016 13:38:55 UTC
Why does a payment app represent the user? It's that because they select it from a menu? A priori, I though some payment apps were hostile to the user, like merchant specific ones. I'll keep an eye out for tricks to turn this into a vulnerability. There is for example a kind of super-cookie where I tell the browser the user requested payment, and only the super-tracker payment app works, which someone previously tricked the user into installing. If it does not open a menu for a request with only one payment method, then super-tracker gets control, takes its tracking actions, and send the browser right back to the original page. I suppose one avoids that my requiring that the payment app selector always appear, even if only one valid payment method exists. --- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/w3c/browser-payment-api/issues/17#issuecomment-203940453
Received on Thursday, 31 March 2016 13:38:55 UTC