Re: [w3c/payment-handler] Security consideration: more awareness about cross-origin sharing (#366)

@ianbjacobs commented on this pull request.



> @@ -2445,6 +2445,22 @@ <h2>
           </li>
         </ul>
       </section>
+      <section>
+        <h2>
+          User Awareness about Sharing Data Cross-Origin
+        </h2>
+        <ul>
+          <li>By design, a payment handler from one origin shares data with
+          another origin (e.g., the merchant site).
+          </li>
+          <li>It is important that user agents make clear to users the origin
+          of a payment handler.
+          </li>
+          <li>User agents should help users understand that they are sharing

Hi @danyao, 

What level of detail do you think is practical? Some examples (verbiage illustrative only):

- Level 0: You are sharing personal information with <origin> for this transaction.
- Level 1: You are sharing address and contact information with <origin> for this transaction.
- Level 2: You are sharing the following with <origin>:
             <specific address>
             <specific contact information>

Ian

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/payment-handler/pull/366#discussion_r409871469

Received on Thursday, 16 April 2020 21:56:15 UTC