- From: Thomas Jensen <notifications@github.com>
- Date: Sun, 22 May 2016 14:51:51 -0700
- To: w3c/browser-payment-api <browser-payment-api@noreply.github.com>
- Cc:
- Message-ID: <w3c/browser-payment-api/issues/203/220858707@github.com>
@adamroach writes: > That is, unless what you have in mind is simply "remove cross-origin protections." I assume that's not what you have in mind per se, but I encourage you to think really hard about whether what you're thinking about eventually has the same result. Yes and no. This is a concern I indeed have been thinking about. Mostly (honestly this is just a guess) cross-origin protection is about webpage A not being able to act on behalf of or impersonate you on webpage B. What I suggest (I am just putting out an alternative idea) is merely about communication over a new channel - which does not resemble posting forms or requesting stuff with user's cookies at all. It is not really new, is entirely doable today - bad guys could have been (is?) doing it for years - it is just cumbersome, feels like a hack, works only offline in Chrome and Firefox, the rest requires a relay server (experiment linked in original post). Desktop applications have always had this (mostly through the file system), and I value the fundamentally better approach of the web of apps, but we need to solve this also - not just for payments. @burdges writes: > I'm mentioned in a few places that payment apps must be treated as hostile to the user because merchant provided payment apps are occasionally discussed. I believe that never literally made it into the specification itself though. I agree. They should be no different from any other web application and have no special privileges. --- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/w3c/browser-payment-api/issues/203#issuecomment-220858707
Received on Sunday, 22 May 2016 21:52:19 UTC