- From: ianbjacobs <notifications@github.com>
- Date: Tue, 13 Feb 2018 23:50:06 +0000 (UTC)
- To: w3c/payment-request <payment-request@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Tuesday, 13 February 2018 23:50:29 UTC
ianbjacobs commented on this pull request. > + <li>A <a>top-level browsing context</a> need to explicitly grant an + <a>iframe</a> the ability to access the <a>PaymentRequest</a> + interface via the <a>allowpaymentrequest</a> attribute. This prevents + embedded third-party content from accessing the interfaces of the + <cite>Payment Request API</cite> without the <a>top-level browsing + context</a>'s permission. + </li> + <li>In the definition of <a>canMakePayment()</a> the Working Group + seeks a balance between user experience and date protection. As + defined, <a>canMakePayment()</a> provides the party that calls the + API with information about the user's environment. To reduce the + potential for abuse, implementers plan a number of mitigations, + including rate-limiting <a>canMakePayment()</a> calls from the same + origin. + </li> + <li>A user agent can limit matching (in <a>show()</a> and It is my understanding that implementations are doing this. @adrianba, @zkoch, @rsolomakhin do you have any experience to share or any new thoughts on this topic? -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/w3c/payment-request/pull/683#discussion_r168040398
Received on Tuesday, 13 February 2018 23:50:29 UTC