[larssorenson]

There is also the situation of security to consider. Although browsers have made great strides in improving security, if we start including our payment information directly in the browser it could lead to potentially interesting situations. If a malicious entity escapes the sandbox or some memory reading vulnerability, they could figure out the payment information. Of course there's also XSS and CSRF which could potentially allow a malicious entity to silently authorize payment by the user for their own website, all of which would have to be considered not only by the websites implementing the 402 API but also the browser. Sure we're already working to fix these problems for all other data and account purposes, but if history is any indicator then I don't think we're ready just yet.