- From: Peter Saint-Andre <notifications@github.com>
- Date: Tue, 13 Feb 2018 23:58:36 +0000 (UTC)
- To: w3c/payment-request <payment-request@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <w3c/payment-request/pull/683/review/96346033@github.com>
stpeter commented on this pull request. > + context</a>'s permission. + </li> + <li>In the definition of <a>canMakePayment()</a> the Working Group + seeks a balance between user experience and date protection. As + defined, <a>canMakePayment()</a> provides the party that calls the + API with information about the user's environment. To reduce the + potential for abuse, implementers plan a number of mitigations, + including rate-limiting <a>canMakePayment()</a> calls from the same + origin. + </li> + <li>A user agent can limit matching (in <a>show()</a> and + <a>canMakePayment()</a>) to <a>payment handlers</a> from the same + <a data-cite="rfc6454#section-3.2">origin</a> as a URL <a>payment + method identifier</a>. User agents can also use information provided + by a <a>payment method</a> owner to match <a>payment handlers</a> + from other origins. The text in Section 18.2 doesn't provide any more details about how these mechanisms work (e.g., the information that would be provided by a payment method owner such as a whitelist of acceptable payment handlers) or their applicability (e.g., there's no URL to match in the case of a standardized payment method identifier). -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/w3c/payment-request/pull/683#pullrequestreview-96346033
Received on Wednesday, 14 February 2018 05:11:22 UTC