- From: Jake Archibald <notifications@github.com>
- Date: Tue, 24 Jan 2017 05:26:13 -0800
- To: w3c/webpayments-payment-apps-api <webpayments-payment-apps-api@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <w3c/webpayments-payment-apps-api/issues/48/274801815@github.com>
@tommythorsen > I don't think anyone would be against showing the origin of the recommended payment app along with the icon and label. If we prominently display the origin of each recommended payment app, does that take care of your security concerns, or is there more to it? Like I said earlier in the thread, in this case the label and icon only serve to weaken security, as they're in control of the origin which aims to earn these permissions. This will be happening in a new browser-owned API, which users traditionally trust, and it seems we're talking about breaking/blurring that model. > We have identified that there is a desire/need for something like recommended payment apps, but the fine details are left to be discussed. The good news is that we're discussing it right now, and I think we're getting somewhere Well, kinda. My major frustration with this thread is that it keeps descending into "How can we fetch a manifest", but the first step needs to be "What should the flow be?" then "What extra data do we need?" then finally "How do we get that data?". If "What should the flow be?" shows that we cannot use data provided by the other origin for security reasons, then that changes the next two steps considerably. I've pointed this out here https://github.com/w3c/webpayments-payment-apps-api/issues/48#issuecomment-273201675 and here https://github.com/w3c/webpayments-payment-apps-api/issues/48#issuecomment-274094501 and here https://github.com/w3c/webpayments-payment-apps-api/issues/48#issuecomment-274348344 and here https://github.com/w3c/webpayments-payment-apps-api/issues/48#issuecomment-274350867 and here https://github.com/w3c/webpayments-payment-apps-api/issues/48#issuecomment-274351523 and here https://github.com/w3c/webpayments-payment-apps-api/issues/48#issuecomment-274429380 but as you can see there's still further discussion around manifests and link headers. One of the champions for "presenting previously unvisited payments apps" needs to show a secure user flow for this feature, then we can start discussing APIs to make it work. If a secure user flow cannot be presented, this issue is dead. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/w3c/webpayments-payment-apps-api/issues/48#issuecomment-274801815
Received on Tuesday, 24 January 2017 13:26:55 UTC