@dlongley wrote:
> This seems like a good idea to me. However, would this be a problem for scenarios where users only interact on origin A -- which uses postMessage to trigger origin B (in an iframe) to call the API? Are there existing payment systems that look like this or that may want to function this way if adopting the payment request API?
That would not work in this scenario, as that's akin to click jacking.
@zkoch wrote:
> If we decide to say something about this in the spec, I think it needs to be in the form of 'MUST' language. Since this would impact an implementation decision, such as in the use case above, users have to be able to reason about whether their implementation would work cross-browser.
Yes, it would need to be a MUST and would throw without the click.
We could go without it initially and see how people use the API... if it becomes a problem, we can add it later.
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/browser-payment-api/issues/486#issuecomment-290242620