Let's pass in only the `origin` and the `iframeOrigin` instead. The top-level `origin` is useful because that's what user sees in the address bar of the user agent. The `iframeOrigin` of the iframe that invoked `PaymentRequest` is useful for the payment app to filter out origins that are not allowed to invoke them. (For example, let's suppose `https://bobpay.com` provides an iframe for their 100,000 merchants. The payment app could filter on `"iframeOrigin": "https://bobpay.com"` and not keep track of the full list of 100,000 merchant origins in their client-side code.) I don't see a point in passing in the full list of iframe origins to the payment app. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/w3c/webpayments-payment-apps-api/issues/120#issuecomment-289769943
Received on Tuesday, 28 March 2017 13:31:14 UTC