Preventing spoofed buyflows

[msporny]

The current Browser Payments specification requires a whitelist of organizations that are capable of making the chrome buyflow frame appear. What happens when we want to have multiple payment providers w/o a centralized whitelist on the Web? How do we prevent people from putting important password information into the buyflow frame? Should we have some basic tenets of the chrome buyflow that makes it very difficult to spoof the information needed by the buyflow (such as, never allow the buyflow to accept a credit card number, or username/password, etc.)? We can accomplish this in PaySwarm by registering a cryptographic key w/ the browser - at that point, no information is needed from the buyer.

[kumar303]

Good questions. Currently this is addressed by Mozilla via the whitelist. Only trusted sites would be added to the list. It's not ideal but that is one of the reasons it exists. Obviously if any provider's site was compromised (XSS, server intrusion, etc) then phishing would be possible.

Besides this, phishing is still possible by simulating the mozPay() payment window / buyflow without using a real one.