Restrict origin of "default_applications" #34
Comments
|
I'm a little concerned that this increases the coupling between payment method ownership and payment app provider. For example, this change would eliminate options such as W3C hosting a payment method manifest for SRC - although perhaps the decision to not go down that route means this option is not valuable. Taking a step back, I have two questions:
|
You're right, that's the purpose of "default_applications" and the spec should state that.
The relevant discussion is here: https://crbug.com/910305. |
|
It seems like this restriction should adhere to what's defined in Allowed: Allowed: Not Allowed: Not Allowed: I agree with @danyao that this seems to be unnecessarily coupling the payment method ownership with default app ownership but perhaps that is a compromise we have to make for security. |
Since browsers may use the
"default_applications"URL for just-in-time installs of service workers, the validation algorithm should check that this URL is of the same origin as the payment method manifest URL. This will ensure thathttps://alice.comwould install service workers only fromhttps://alice.com. This is especially important for websites that can host arbitrary user data, such ashttps://github.com, where, for example, Eve can trickhttps://alice.github.io/to host a payment method manifest with"default_applications": ["https://eve.github.io"].For example, this is valid:
https://alice.github.io/pmm.json →
{"default_applications": ["https://alice.github.io/app.json"]}But this should not be valid:
https://alice.github.io/pmm.json →
{"default_applications": ["https://eve.github.io/app.json"]}The text was updated successfully, but these errors were encountered: