- From: Boris Zbarsky <notifications@github.com>
- Date: Tue, 06 Dec 2016 17:44:10 -0800
- To: w3c/browser-payment-api <browser-payment-api@noreply.github.com>
Received on Wednesday, 7 December 2016 01:44:46 UTC
Step 3.3 of the payment request constructor now says: > If any ancestor browsing context of context has an active document with an origin that is not the same as origin and context's browsing context container's node document is not allowed to use the feature indicated by attribute name allowpaymentrequest, then throw a SecurityError. This seems wrong in the case when the constructor doesn't come from the active document. In particular it seems to me that this allows the following attack: 1. Site A opens a new window and navigates it to a page on site B that has an iframe. 2. Site A navigates that iframe to a URL from site A. 3. Site A grabs the PaymentRequest constructor from the document currently in the iframe. 4. Site A navigates the iframe again, to a URL from site B. 5. Site A invokes the constructor it grabbed. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/w3c/browser-payment-api/issues/361
Received on Wednesday, 7 December 2016 01:44:46 UTC