> I think that the security issue @jakearchibald raises about the security risk introduced if the app provides a logo and label, is very important. We've come up against this "How do we verify an apps integrity?" question multiple times and I don't know if we have a good answer. I think we need an answer before we continue. The whole question of how to present recommended-but-not-installed payment apps is based around the idea that we *want* the browser to be able to display the options in a blessed UI and potentially (if selected) install the service worker, and grant permission for that to be a payment app. If presenting that information in a blessed UI lowers security, we *do not want* the browser to do it. If that's the case, all this stuff about manifests & link headers is redundant. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/w3c/webpayments-payment-apps-api/issues/48#issuecomment-274094501
Received on Friday, 20 January 2017 15:09:42 UTC