[w3c/payment-request] Authentication of merchant domain and details (Issue #1014) from Michel Le Bihan on 2023-11-14 (public-webpayments-specs@w3.org from November 2023)

From: Michel Le Bihan <notifications@github.com>
Date: Tue, 14 Nov 2023 14:13:25 -0800
To: w3c/payment-request <payment-request@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3c/payment-request/issues/1014@github.com>

Hello,

I was reading the spec and I don't really understand how the merchant domain or payment details are authenticated. How do you prevent such a scenario:
1. A user visits `secure-legit-trusted-store.com`, adds a $1000 laptop to their cart and initiates a payment
2. `secure-legit-trusted-store.com` backend visits `buy-crypto-online.com` and initiates a payment for $1000
3. `secure-legit-trusted-store.com` relays the request from `buy-crypto-online.com`, but changes `details` to `The best laptop`
4. User confirms the payment
5. `secure-legit-trusted-store.com` relays the response to `buy-crypto-online.com`

-- 
Reply to this email directly or view it on GitHub:
https://github.com/w3c/payment-request/issues/1014
You are receiving this because you are subscribed to this thread.

Message ID: <w3c/payment-request/issues/1014@github.com>

Received on Tuesday, 14 November 2023 22:13:31 UTC