Re: [w3c/payment-handler] User consent and permissions (#239)

Hi @romandev,

Thank you for bringing up these concerns. We should document these concerns and the possible mitigations in the spec for the benefit of all implementers and web developers. Here's what I'm thinking:

1. Browsers should allow installing payment handlers only from top-level context or an iframe with appropriate permissions, (e.g., `allowpaymentrequest` can be reused here). Thus, to install a payment handler from https://hellopay.co, you would need to first visit that website or some other website that trusts http://hellopay.co.

2. Browsers should use [payment method manifests](https://w3c.github.io/payment-method-manifest/) to verify that https://alicepay.xyz is allowed to handle payments for https://bobpay.xyz payment method. Thus, to see a payment handler from https://alicepay.xyz when attempting payment via https://bobpay.xyz/pay payment method, the owners of https://bobpay.xyz/pay would first have to grant permissions to https://alicepay.xyz to use their payment method name.

3. Before user consent, browsers should show only the origin of the payment handler. Thus, even if https://hellopay.co uses the same name and icon as https://hellopay.com, the user will not see those before giving consent. After user clicks [ allow ], the browser would show the name and icon for the payment handler and the user should have the opportunity to check those against their expectations and potentially block a misbehaving payment handler by origin.

Let me know whether I've addressed your concerns sufficiently. We plan to implement all three of these mitigations in Chrome. 

Cheers,
Rouslan

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/payment-handler/issues/239#issuecomment-347928360