- From: Marcos Cáceres <notifications@github.com>
- Date: Thu, 27 Feb 2020 00:01:19 -0800
- To: w3c/payment-handler <payment-handler@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Thursday, 27 February 2020 08:01:35 UTC
We might need to revisit the permission model for this spec. In particular, I'm a little bit concerned that any site registering a service worker can grab an instance of PaymentManger and start adding instruments. This is particularly concerning for things like "basic-card", where any arbitrary site can be like, "I can do basic card for you" and insert a random instrument (e.g., just to annoy the user) into the instruments database. The "fake" payment handler will then show up in payment sheet for basic card. For example, https://marcospay.com: <img width="527" alt="Screenshot 2020-02-27 19 00 17" src="https://user-images.githubusercontent.com/870154/75423740-6b17ae00-5993-11ea-9293-439cd717e983.png"> -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/w3c/payment-handler/issues/363
Received on Thursday, 27 February 2020 08:01:35 UTC