search

haystack / tipsy

A new project to encourage pay-what-you-want support for any web site.
http://tipsy.csail.mit.edu/
MIT License
32 stars 9 forks source link

[sec] Email fields at /tipsy.txt #90

Open rht opened 7 years ago

rht commented 7 years ago

The email fields at /tipsy.txt are crawlable by bots. Either encode it (a bit cumbersome for end-users) or ...

da2x commented 7 years ago

This isn't really much of a problem. Just be sure to ask publishers to use dedicated email addresses. PayPal requires business accounts to receive service payments anyway, so websits should already be using addresses like tipsy-micropayments@mydomain.com for this purpose (and bookkeeping).

The only bug here is that the documentation should be improved.

da2x commented 7 years ago

You can also use your merchant account ID instead of an email address.

Note that a merchant account is required when you receive payment for business purposes as per PayPal’s terms of stuff. Forms and documentation should be updated. The generator script should have it's valid email formatting requirement removed, etc.

rht commented 7 years ago

Right, I see -- it looks like the merchant account ID (in the context of paypal's protocol, and possibly there is an equivalent in dwolla's as well) was devised to replace email address for the button code. This is a breaking change, and could be coordinated with the priv key migration to fix #101.