|
838 | 838 | Optionally, if the <a>user agent</a> wishes to disallow the call |
839 | 839 | to <a>show()</a> to protect the user, then return a promise |
840 | 840 | rejected with a "<a>SecurityError</a>" <a>DOMException</a>. See |
841 | | - <a href="#sec-enhancements"></a>. |
| 841 | + <a href="#security"></a>. |
842 | 842 | </p> |
843 | 843 | <p class="note"> |
844 | 844 | During the Candidate Recommendation phase, implementations are |
@@ -3320,52 +3320,45 @@ <h2> |
3320 | 3320 | </section> |
3321 | 3321 | </section> |
3322 | 3322 | <section class="informative"> |
3323 | | - <h2> |
3324 | | - Security Considerations |
| 3323 | + <h2 id="security"> |
| 3324 | + Security and Privacy Considerations |
3325 | 3325 | </h2> |
3326 | | - <section class="informative"> |
3327 | | - <h2 id="sec-enhancements"> |
3328 | | - Mechanisms to enhance security |
3329 | | - </h2> |
3330 | | - <p> |
3331 | | - This specification includes a number of mechanisms to enhance the |
3332 | | - security of the API: |
3333 | | - </p> |
3334 | | - <ul data-link-for="PaymentRequest"> |
3335 | | - <li>The <a>PaymentRquest</a>'s <a>show()</a> method needs to |
3336 | | - <a>triggered by user activation</a>. This reduces content's ability |
3337 | | - to unexpectedly cause a request for payment to be displayed to the |
3338 | | - end-user. |
3339 | | - </li> |
3340 | | - <li>Interfaces are <a data-cite= |
3341 | | - "WEBIDL#dfn-available-only-in-secure-contexts">available only in a |
3342 | | - secure context</a>, to reduce the possibly that credentials will be |
3343 | | - acquired and transferrer through insecure communication protocols. |
3344 | | - </li> |
3345 | | - <li>A <a>top-level browsing context</a> need to explicitly grant an |
3346 | | - <a>iframe</a> the ability to access the <a>PaymentRequest</a> |
3347 | | - interface via the <a>allowpaymentrequest</a> attribute. This prevents |
3348 | | - embedded third-party content from accessing the interfaces of the |
3349 | | - <cite>Payment Request API</cite> without the <a>top-level browsing |
3350 | | - context</a>'s permission. |
3351 | | - </li> |
3352 | | - <li>In the definition of <a>canMakePayment()</a> the Working Group |
3353 | | - seeks a balance between user experience and date protection. As |
3354 | | - defined, <a>canMakePayment()</a> provides the party that calls the |
3355 | | - API with information about the user's environment. To reduce the |
3356 | | - potential for abuse, implementers plan a number of mitigations, |
3357 | | - including rate-limiting <a>canMakePayment()</a> calls from the same |
3358 | | - origin. |
3359 | | - </li> |
3360 | | - <li>A user agent can limit matching (in <a>show()</a> and |
3361 | | - <a>canMakePayment()</a>) to <a>payment handlers</a> from the same |
3362 | | - <a data-cite="rfc6454#section-3.2">origin</a> as a URL <a>payment |
3363 | | - method identifier</a>. User agents can also use information provided |
3364 | | - by a <a>payment method</a> owner to match <a>payment handlers</a> |
3365 | | - from other origins. |
3366 | | - </li> |
3367 | | - </ul> |
3368 | | - </section> |
| 3326 | + <p> |
| 3327 | + This specification includes a number of mechanisms to mitigate security |
| 3328 | + threats and support user privacy: |
| 3329 | + </p> |
| 3330 | + <ul data-link-for="PaymentRequest"> |
| 3331 | + <li>The <a>PaymentRequest</a>'s <a>show()</a> method needs to |
| 3332 | + <a>triggered by user activation</a>. This reduces the ability to |
| 3333 | + surprise the user by triggering an unexpected request for payment. |
| 3334 | + </li> |
| 3335 | + <li>Interfaces are <a data-cite= |
| 3336 | + "WEBIDL#dfn-available-only-in-secure-contexts">available only in a |
| 3337 | + secure context</a>, to reduce the possibility that credentials will be |
| 3338 | + acquired and transferred through insecure communication protocols. |
| 3339 | + </li> |
| 3340 | + <li>A <a>top-level browsing context</a> needs to explicitly grant an |
| 3341 | + <a>iframe</a> access to the <a>PaymentRequest</a> interface via the <a> |
| 3342 | + allowpaymentrequest</a> attribute. This prevents embedded third-party |
| 3343 | + content from accessing the interfaces of the <cite>Payment Request |
| 3344 | + API</cite> without permission from the <a>top-level browsing |
| 3345 | + context</a>. |
| 3346 | + </li> |
| 3347 | + <li>In the definition of <a>canMakePayment()</a> the Working Group |
| 3348 | + seeks a balance between user experience and data protection. As |
| 3349 | + defined, <a>canMakePayment()</a> provides the party that calls the API |
| 3350 | + with information about the user's environment. To reduce the potential |
| 3351 | + for abuse, implementers plan a number of mitigations, including |
| 3352 | + rate-limiting <a>canMakePayment()</a> calls from the same origin. |
| 3353 | + </li> |
| 3354 | + <li>A user agent can limit matching (in <a>show()</a> and |
| 3355 | + <a>canMakePayment()</a>) to <a>payment handlers</a> from the same |
| 3356 | + <a data-cite="rfc6454#section-3.2">origin</a> as a URL <a>payment |
| 3357 | + method identifier</a>. User agents can also use information provided by |
| 3358 | + a <a>payment method</a> owner to match <a>payment handlers</a> from |
| 3359 | + other origins. |
| 3360 | + </li> |
| 3361 | + </ul> |
3369 | 3362 | <section class="informative"> |
3370 | 3363 | <h2> |
3371 | 3364 | Encryption of data fields |
|
0 commit comments