[w3c/payment-handler] Require user gesture before installation payment app that supports a standardized payment method? (#380) from ianbjacobs on 2020-12-08 (public-webpayments-specs@w3.org from December 2020)

From: ianbjacobs <notifications@github.com>
Date: Tue, 08 Dec 2020 09:20:13 -0800
To: w3c/payment-handler <payment-handler@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3c/payment-handler/issues/380@github.com>

Based on discussion around basic card [1], I am wondering whether we could increase security by requiring a user gesture before installing any payment app that supports a standardized payment method. I believe that just-in-time payment app installation already requires a user gesture, so that would suffice for that use case. But if the user visits a Web site and the site wishes to install a service worker for, say, basic card, the browser could ask the user to confirm before installing
that payment app. This would happen even if the payment app also supports other payment methods.

There would be no extra user gesture required for a payment app that supports ONLY URL-based payment methods. My thinking is that we have an extra layer of accountability in the case of URL-based payment methods. 

Furthermore, since the wildcard has been removed from the payment method manifest spec [2], it seems we no longer have the same "arbitrary payment app" concern for URL-based payment methods.

Ian


[1] https://github.com/w3c/payment-handler/issues/379
[2] https://github.com/w3c/payment-method-manifest/commit/20500dc7da6a544fced531f00faf092609b4933e#diff-5e793325cd2bfc452e268a4aa2f02b4024dd9584bd1db3c2595f61f1ecf7b985

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/payment-handler/issues/380

Received on Tuesday, 8 December 2020 17:20:26 UTC