- From: Adrian Hope-Bailie <notifications@github.com>
- Date: Thu, 15 Feb 2018 10:37:35 +0000 (UTC)
- To: w3c/3ds <3ds@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Thursday, 15 February 2018 10:37:59 UTC
I'd go a step further and say that EMVCo should make this the recommended way of doing 3DS2.0. The first thing a merchant (or their PSP) should do is use `canMakePayment` to determine if the use can do a 3DS2.0 payment using an approved handler and if so avoid trying to embed issuer scripts etc into the page at all. I think that in time you will find that it will get harder and harder for a website to insert JS from another origin as users will actively block this. There are increasing incidents of third-party JS being malicious even when served from trusted source (see recent crypto-currency mining scripts in JS based Google ads). In the case of a PSP you have a user on X merchant origin, already running script from Y PSP origin that then wants to inject more script from Z issuer origin. As a user I am thinking that's just too many degrees of separation for me. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/w3c/3ds/issues/2#issuecomment-365888185
Received on Thursday, 15 February 2018 10:37:59 UTC