"Exposing available payment methods" is confusing given the existence of canMakePayment()

[domenic]

A Chrome developer ended up confused by this section because it says

The fact that a successful match to a payment method causes a user interface to be displayed mitigates the disclosure risk.

However this is not true for "the payment request API" in general, only for paymentRequest.show(). In particular canMakePayment() can be called without UI.

This section should be rewritten to be specific what methods it's talking about, and talk about canMakePayment()'s step 3 mitigations additionally.

---

As a separate problem, the "may" requirements in this section are very bad, and should be moved to the show() method.

---

I can try to work on this "soon", but it's hard to guarantee availability for this week or next, so since it seems things are heading toward some sort of spec freeze, maybe someone else can help out here.

[marcoscaceres]

I can have a go at fixing it.

[lknik]

I support this request :)

[marcoscaceres]

@lknik, be careful, or we will rope you in to help and review stuff.

[ianbjacobs]

From a republication of CR perspective,this sounds editorial to me.

[marcoscaceres]

As a separate problem, the "may" requirements in this section are very bad, and should be moved to the show() method.

This will be a MUST #655

Sending a PR that removes this section entirely, because it's bad (also as per #475).

[marcoscaceres]

Sent PR for this #673