Re: [w3c/payment-request] Editorial: describe security mitigations #675 (#683)

ianbjacobs commented on this pull request.



> +          context</a>'s permission.
+          </li>
+          <li>In the definition of <a>canMakePayment()</a> the Working Group
+          seeks a balance between user experience and date protection. As
+          defined, <a>canMakePayment()</a> provides the party that calls the
+          API with information about the user's environment. To reduce the
+          potential for abuse, implementers plan a number of mitigations,
+          including rate-limiting <a>canMakePayment()</a> calls from the same
+          origin.
+          </li>
+          <li>A user agent can limit matching (in <a>show()</a> and
+          <a>canMakePayment()</a>) to <a>payment handlers</a> from the same
+          <a data-cite="rfc6454#section-3.2">origin</a> as a URL <a>payment
+          method identifier</a>. User agents can also use information provided
+          by a <a>payment method</a> owner to match <a>payment handlers</a>
+          from other origins.

Hi @stpeter,
I have avoided adding an informative reference here to the payment method manifest spec. It would be good to hear whether the editors think an informative reference to that spec would be appropriate and acceptable.
Ian

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/payment-request/pull/683#discussion_r169422905

Received on Tuesday, 20 February 2018 19:06:55 UTC