Re: [w3c/browser-payment-api] Send HTMLIFrameElement.allowPaymentRequest to HTML spec (#311)

@rsolomakhin and @adrianhopebailie:

Consider the case where you have a main page that is not a merchant, but for instance a news site. It allows its embedded advertisements (contained in iframes) to make use of Web Payments. So, for instance, while reading a sports article, you get an advertisement for a pair of running shoes, and can click a button in the advertisement to buy the shoes directly.

In this case, I don't think it makes sense to display the news site's origin as the owner of the payment request, as it is not that closely connected to the purchase. It makes much more sense to display the iframe's origin.

Opera leans towards displaying the origin of the frame that actually calls the Payment Request in the payment UI, as this was highlighted by our security team as important to protect against fraud. We don't want payment code that runs in an iframe to be able to pretend to the user that the payment belongs to the parent frame.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/browser-payment-api/issues/311#issuecomment-261920943

Received on Monday, 21 November 2016 12:13:35 UTC