[w3c/payment-handler] Call out the need for merchants to validate payment responses (#288)

[Feedback on Payment Handler TAG review](https://github.com/w3ctag/design-reviews/issues/231#issuecomment-377645336) from @dbaron:

> Given that the merchant can't trust any security checking that the browser does anyway (even if the browser does end up verifying something based on the payment method manifest connected to the identifier), this seems like it has to be the answer. Perhaps that should be called out a little more clearly in the section on security considerations?

Pull requests welcome.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/payment-handler/issues/288

Received on Thursday, 12 April 2018 15:23:57 UTC