Re: [w3c/payment-request] Spec is silent on its role in facilitating arbitrary communication between top level contexts (#936)

I agree with @danyao. If it isn't possible to determine off-device that any action has occurred, then there hasn't been a transfer of data between parties and gathering _consent to the transfer of data between parties_ is probably not required (depending on the specifics, other consents may of course be applicable).

I also agree that this is a concern for particular payment handlers to address. If a payment handler feels it has a use case that is both simultaneously sufficiently privacy preserving, but somehow cannot meet these basic requirements, then that can be a discussion on that specification.

These requirements are pretty fundamental to privacy though, so I cannot currently fathom what such a use case would look like. Given this, encouraging payment handlers to use additional mitigations and smart strategies to meet the bar set here, rather than lowering the bar to accommodate hitherto unknown handler behaviors, is almost certainly the correct approach.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/payment-request/issues/936#issuecomment-770791457

Received on Monday, 1 February 2021 11:36:30 UTC