Re: [w3c/browser-payment-api] Security hole in payment API when a constructor from a no longer active document is invoked (#361) from Boris Zbarsky on 2016-12-07 (public-webpayments-specs@w3.org from December 2016)

From: Boris Zbarsky <notifications@github.com>
Date: Tue, 06 Dec 2016 17:51:32 -0800
To: w3c/browser-payment-api <browser-payment-api@noreply.github.com>
Message-ID: <w3c/browser-payment-api/issues/361/265331829@github.com>

Or alternately B could window.open another window from B, then grab a reference to the constructor, from that window or one of its subframes, then navigate to A, then call the constructor.

What you may want to do is restrict this API to fully active documents only.  But even then, walking up the creator document chain (but only until you get to a document in a toplevel browsing context) makes more sense than walking up the ancestor browsing context chain.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/browser-payment-api/issues/361#issuecomment-265331829

Received on Wednesday, 7 December 2016 01:52:32 UTC