Re: [w3c/payment-request] Authentication of merchant domain and details (Issue #1014) from Anders Rundgren on 2023-11-17 (public-webpayments-specs@w3.org from November 2023)

From: Anders Rundgren <notifications@github.com>
Date: Fri, 17 Nov 2023 10:27:03 -0800
To: w3c/payment-request <payment-request@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3c/payment-request/issues/1014/1816895998@github.com>

If we stick to trust in the payment process, the user-signed transaction request should preferably include the domain name of the merchant.  Since this part could be collected by the browser during SPC invocation, it is not possible to fake.  This makes relaying (or stealing) authorizations much less useful, here assuming that verifiers check this parameter as well as claimed receive account etc.

-- 
Reply to this email directly or view it on GitHub:
https://github.com/w3c/payment-request/issues/1014#issuecomment-1816895998
You are receiving this because you are subscribed to this thread.

Message ID: <w3c/payment-request/issues/1014/1816895998@github.com>

Received on Friday, 17 November 2023 18:27:09 UTC