Let's pass in only the `origin` and the `iframeOrigin` instead. The top-level `origin` is useful because that's what user sees in the address bar of the user agent. The `iframeOrigin` of the iframe that invoked `PaymentRequest` is useful for the payment app to filter out origins that are not allowed to invoke them. (For example, let's suppose `https://bobpay.com` provides an iframe for their 100,000 merchants. The payment app could filter on `"iframeOrigin": "https://bobpay.com"` and not keep track of the full list of 100,000 merchant origins in their client-side code.) I don't see a point in passing in the full list of iframe origins to the payment app.
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/webpayments-payment-apps-api/issues/120#issuecomment-289769943