Re: [w3c/webpayments-payment-apps-api] Payment app identifier to manifest filename mapping (#48)

@jakearchibald -- It's not that I don't take security seriously; it's just that you haven't outlined any threat that the proposed approaches actually make worse; or, if you have, you haven't described how it does do.

Let's back up. The state of the art today is that a malicious or hacked merchantsite.com could contain a "Check out with Paypal"-branded button on their site, with the button linking to a "checkout flow" on evil.com.

Keeping that in mind, describe a scenario that the proposed "Recommended Payment" functionality enables that isn't currently possible. Start with the user clicking on "buy," and describe the steps that take place up to the point that money leaves that user's possession and enters the hands of someone they did not desire to pay.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/webpayments-payment-apps-api/issues/48#issuecomment-274393796

Received on Monday, 23 January 2017 03:48:23 UTC