- From: Matt N. <notifications@github.com>
- Date: Wed, 29 Mar 2017 16:26:35 -0700
- To: w3c/browser-payment-api <browser-payment-api@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Wednesday, 29 March 2017 23:27:33 UTC
> We could go without it initially and see how people use the API... if it becomes a problem, we can add it later. I think we should do the opposite since it's way harder to add the restriction later compared to removing it. I don't think we should be adding new features to the web platform that can be used to annoy users outside the content area just by simply visiting a page. > There are also legitimate uses cases we've seen where you wouldn't want this. For example, a merchant wants to implement PaymentRequest, and the shortest path to doing so is just to invoice PR.show() on the redirect to /checkout. It's completely in line with user expectations and is easy to implement. I agree that such an implementation would be in line with user expectations but I still would rather not keep open the door for malicious authors. Legitimate sites can take a longer path to work with the API so that the web doesn't have a new annoyance API to support forever. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/w3c/browser-payment-api/issues/486#issuecomment-290256717
Received on Wednesday, 29 March 2017 23:27:33 UTC