The “canmakepayment” service worker event lets the merchant know whether the user has a card on file in an installed payment app. It used to silently pass the merchant's origin and arbitrary data to a service worker from payment app origin. This cross-origin communication happened on PaymentRequest construction in JavaScript, did not require a user gesture, and did not show any user interface. This silent data passage has been removed from the "canmakepayment" event (and the Android IS_READY_TO_PAY Intent).
To improve user privacy, remove the merchant origin and arbitrary data from the "canmakepayment" service worker event: - topOrigin - paymentRequestOrigin - methodData - modifiers
Samples: https://rsolomakhin.github.io/pr/apps/romantic-dirt-jaguar