We must differentiate between the permission a user grants to an origin to "handle payment requests" and the ability of a payment app (a Service Worker with a scope under that origin) to handle payment requests for a specific payment methods.
Therefor there are two things that happen:
1. An origin requests and is granted/denied permission to handle payment requests
2. A payment app notifies the browser that it can handle payments for a specific payment method
I think we must still decide if 2. requires user consent, this feels like a separate issue.
Concrete proposal to close THIS issue:
1. Update the registration process to explicitly ask the user if they grant permission for the calling origin to handle payment requests (similar to existing permission requests like location etc)
2. Resolve whether or not a user must consent to a payment app altering the set of payment methods it supports.
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/webpayments-payment-apps-api/issues/98#issuecomment-275037783