- From: Samuel Weiler <notifications@github.com>
- Date: Fri, 22 Jan 2021 07:37:49 -0800
- To: w3c/payment-request <payment-request@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Friday, 22 January 2021 15:38:01 UTC
> Hi @Sauski, > > Thank you for submitting this issue. Would a statement like the following be helpful in section 18.7? > > "Payment Request API intends to support a wide array of payment methods and corresponding data models. As a result, arbitrary data may be provided by the calling origin via PaymentMethodData.data to the origin of the payment app selected by the user. Similarly, data used to complete the transaction is returned from the selected payment app origin to the calling origin via PaymentResponse.details. Browsers features (e.g., as part of implementation of the Payment Handler API or other APIs) offer privacy protections, such as requiring user gestures before data crosses origins." The first part, which identifies the problem, is helpful. The second part, re: mitigations, needs to point to where those "browser features" are documented. The mitigations need to specified in detail. Ideally, I'd like those mitigations to be in this spec. If you can make a case for them being different per payment handler, I'm fine with you pushing this out to them, but then this spec needs to require the payment handlers to define those mitigations. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/w3c/payment-request/issues/936#issuecomment-765491184
Received on Friday, 22 January 2021 15:38:01 UTC