[w3c/payment-request] Document privacy and security mitigations (#675) from Marcos Cáceres on 2018-01-24 (public-webpayments-specs@w3.org from January 2018)

From: Marcos Cáceres <notifications@github.com>
Date: Wed, 24 Jan 2018 04:35:09 +0000 (UTC)
To: w3c/payment-request <payment-request@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3c/payment-request/issues/675@github.com>

As part of the CR process and through implementation/deployment, we've learned quite a bit about abuse cases. We should make sure we properly document all mitigations we've put in place without being hand-wavy - in the Privacy and Security section. 

- [ ]  use of SecureContext
- [ ]  the `allowpaymentrequest` attribute on iframe 
- [ ]  `canMakePayment()` and throttling
- [ ]  requiring user action on `show()`

And so on... please add more to the above... those are just the ones off the top of my head. 


-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/payment-request/issues/675

Received on Wednesday, 24 January 2018 04:35:35 UTC