- From: Jinho Bang <notifications@github.com>
- Date: Wed, 29 Nov 2017 16:53:04 +0000 (UTC)
- To: w3c/payment-handler <payment-handler@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Wednesday, 29 November 2017 16:53:30 UTC
> When paymentRequest.show() is called, the user will have the opportunity to allow or deny the available payment handlers and also potentially block offending origins from installing a payment handler ever again. I think it's a good idea, but there seems to be a little risky points. So I have some questions. When paymentRequest.show() is called, all registered payment apps are shown on payment sheet? What happens if some fishing site installs a large number of fishing payment apps for malicious purpose? Are they also shown on the payment sheet before asking a permission? For example, - I ususally use `Hello Pay` (https://hellopay.com). - When surf on the internet, fishing apps are installed involuntarily. - The fishing apps has the same look-and-feel with `Hello Pay`. - Moreover the fishing apps is not one. (too much) - So, it's difficult to select payment app because the app list is too long. - Even if the origin is shown, but the fishing apps also might have similar origins such as https://hellopay.co, https://hellopay.net, and so on. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/w3c/payment-handler/issues/239#issuecomment-347923748
Received on Wednesday, 29 November 2017 16:53:30 UTC