- From: Rouslan Solomakhin <notifications@github.com>
- Date: Thu, 13 Dec 2018 22:52:05 -0800
- To: w3c/payment-handler <payment-handler@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Friday, 14 December 2018 06:52:26 UTC
Thank you for the review, @domenic , @ianbjacobs , and @marcoscaceres ! My intention here is to block both HTTP (non-secure) pages and HTTPS pages where certificates are self-signed, expired, revoked, and so on. I would encourage user agent implementers to clamp this down as much as possible. For example, take a look at https://badssl.com. Many of the red-color links there lead to pages with questionable security. Chrome will display an interstitial, but users can sometimes bypass this interstisial by clicking on [Advanced]->"Proceed (unsafe)". After the user has bypassed the interstitial, Chrome treats the page as secure, but I am proposing to make an exception for payments-related API. Payment Handler and Payment Request should not work with questionable HTTPS states. What is the best phrasing to use in this pull request to achieve this goal? -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/w3c/payment-handler/pull/283#issuecomment-447232735
Received on Friday, 14 December 2018 06:52:26 UTC