Re: [w3c/payment-handler] CanMakePaymentEvent handling algorithm unclear (#330)

Very interesting attack vector! We can mitigate this by short-circuiting the `hasEnrolledInstrument()` algorithm when the merchant and the payment handler are from the same origin. In that case, we can fire the `CanMakePaymentEvent` without any privacy violations, because it's a single origin communicating to itself. This behavior would be the same for both regular and private browsing mode, thus removing the possibility of detection of private browsing mode.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/payment-handler/issues/330#issuecomment-456900891

Received on Wednesday, 23 January 2019 17:52:14 UTC