Re: [w3c/payment-handler] Collecting use cases that require payment handler window to be 1P context (#370) from Adrian Hope-Bailie on 2020-04-30 (public-webpayments-specs@w3.org from April 2020)

From: Adrian Hope-Bailie <notifications@github.com>
Date: Thu, 30 Apr 2020 09:06:41 -0700
To: w3c/payment-handler <payment-handler@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3c/payment-handler/issues/370/621949231@github.com>

As discussed in the meeting on 30 April I think it would be interesting to explore how the security policies of APIs like Credential Management could be changed when in a payment context (i.e. when invoked from inside a Payment Handler).

E.g. a possible flow:
- User visits RP origin in 1p context and authenticates using credential management API.
- RP stores credential using credentials API
- RP payment handler is invoked and it attempts to get a stored credential specifying a 'silent' flow. (i.e. It fails if that is not possible)
- If silent login is not possible RP does higher-friction login

This might not be allowed in a 3p content but perhaps could be allowed if invoked from the PH context.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/payment-handler/issues/370#issuecomment-621949231

Received on Thursday, 30 April 2020 16:06:54 UTC