Re: [w3c/payment-request] Remove hasEnrolledInstrument() from version 1.0 (#930) from Danyao Wang on 2020-09-21 (public-webpayments-specs@w3.org from September 2020)

From: Danyao Wang <notifications@github.com>
Date: Mon, 21 Sep 2020 07:16:11 -0700
To: w3c/payment-request <payment-request@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3c/payment-request/pull/930/review/492646622@github.com>

@danyao commented on this pull request.



> +          The {{PaymentRequest/canMakePayment()}} method has the potential to
+          expose user information that could be abused for fingerprinting

I wonder if we can soften or remove this section. The new `canMakePayment()` definition returns much less information so realistically may not be a real fingerprinting threat today (though it can be in a future with a large number of payment apps).

```suggestion
          The {{PaymentRequest/canMakePayment()}} method provides feature detection for different payment.
          It may become a fingerprinting vector if in the future, a large number of payment methods are available.
```

>            <li>Rate-limiting the frequency of calls with different parameters.
           </li>

This was originally added for the more fine-grained `hasEnrolledInstrument()`. I think it's not necessary for `canMakePayment()`. What do you think about removing it to keep things simple?

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/payment-request/pull/930#pullrequestreview-492646622

Received on Monday, 21 September 2020 14:16:24 UTC