Re: [w3c/payment-request] Spec is silent on its role in facilitating arbitrary communication between top level contexts (#936)

@samuelweiler,

How about something like this:

"Payment Request API intends to support a wide array of payment methods and corresponding data models. As a result, arbitrary data may be provided by the calling origin via PaymentMethodData.data to the origin of the payment app selected by the user. Similarly, data used to complete the transaction is returned from the selected payment app origin to the calling origin via PaymentResponse.details. Browsers features (e.g., as part of implementation of the Payment Handler API or other APIs) offer privacy protections, such as requiring user gestures before data crosses origins. Although mitigation strategies may vary depending on context, it is the responsibility of any specification that enables a payment app ecosystem to address these issues. For more information about mitigation strategies for payment apps, see the Payment Handler Privacy Threat Model."



-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/payment-request/issues/936#issuecomment-765508914

Received on Friday, 22 January 2021 16:01:35 UTC