Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[Spec] Be clearer about authentication ceremony privacy in 4.1.4
Before this PR, the spec was vague about the timing attack and also didn't specify at all that an implementation must return a NotAllowedError instead of the normal PaymentRequest NotSupportedError in the case of no-matching-credentials. Whilst we don't want to enforce that UAs show a dialog here (they may decide, for example, that a delayed response instead is sufficiently privacy preserving), this PR does try to make the actual concern clearer and more normative, and add a normative requirement for the return value. Should also improve the situation called out in #142
- Loading branch information