All of this depends on the intended user flow. If recommended payment apps can be registered via a special payments browser UI, there's a security concern as we're adding an origin level permission without ever showing the user the origin. If the browser simply links to the other origin so it can install and present permission prompts, then it's really just a link, and I don't see why this should sit in trusted browser UI. It risks looking like a browser endorsement, whereas a link on a page doesn't. But again, I'm just guessing because no one's detailing how this API is supposed to work in a secure way. 😢 -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/w3c/webpayments-payment-apps-api/issues/48#issuecomment-274790235
Received on Tuesday, 24 January 2017 12:27:56 UTC