Re: [w3c/browser-payment-api] Send HTMLIFrameElement.allowPaymentRequest to HTML spec (#311)

> Do you mean a permission request akin to geolocation? We don't plan to use that for web payments, because geolocation permission allows polling user's location in background, which we do not want for payments. User should approve every transaction.

👍 

> There's only one approval screen, which shows the hostname of the top level context. This screen might also show the hostnames of the embedded iframes, but this security UX should be left to implementers to decide.

👍 


> If any user agent implements "approve once, pay multiple times" behavior, I would imagine that they request the permission only once. The permission dialog would again state the top level context hostname, in all likelihood.

👍 

I'd hope they only allow repetitive payments from that origin then and not from the origin of the sub-context. Not sure if we need to go into this detail?

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/browser-payment-api/issues/311#issuecomment-261916870

Received on Monday, 21 November 2016 11:51:29 UTC