The capabilities of today’s browsers are not sufficient for meeting the security needs of web applications requiring authentication and payments. One of the two primary deficiencies is that content from one site cannot be adequately sandbox when executed on a relying web site. Yet embedding such third party micro-apps has become commonplace. The second deficiency is the reliance on passwords, as is so eloquently described by this post from Eevee.
Take making a PayPal transaction at a merchant web site as an example of the first deficiency. To make this work the merchant web site must redirect the user to PayPal’s web site where he or she then authenticates and authorizes the payment. The user is taken out of context, away from the merchant’s web site, with the possibility of being subject to phishing. This is done because any PayPal code running within the context of the merchant’s site would not be secure: PayPal and the merchant cannot isolate each other’s code.Read on →