Re: [w3c/browser-payment-api] What if the user refuses to supply a shipping address (#279)

Yeah, the payment app does not really matter in this attack, but obviously some will tend to be more trustworthy than others, and some will get used for digital content which does not normally require a shipping address, so the payment app can be manipulated to give a positive impression.

The issue is : What if browser automates providing a shipping address so that the user never sees it? 

We actually cannot do anything about that because we cannot dictate UX for browsers.  We can however warn in the spec that security requires that the user should be prompted with any specific information the browser reveals.  If a browser vender ignores that warning, then Steve the Stalker or whatever is a problem of their creation, not ours. 

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/browser-payment-api/issues/279#issuecomment-248700053

Received on Wednesday, 21 September 2016 18:27:57 UTC