Re: [w3c/browser-payment-api] Security hole in payment API when a constructor from a no longer active document is invoked (#361) from Simon Pieters on 2016-12-15 (public-webpayments-specs@w3.org from December 2016)

From: Simon Pieters <notifications@github.com>
Date: Thu, 15 Dec 2016 06:18:11 -0800
To: w3c/browser-payment-api <browser-payment-api@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3c/browser-payment-api/issues/361/267337895@github.com>

> What you may want to do is restrict this API to fully active documents only.

This should be done with my proposed changes.

> But even then, walking up the creator document chain (but only until you get to a document in a toplevel browsing context) makes more sense than walking up the ancestor browsing context chain.

Are you referring here to the model of snapshotting the attribute at document creation time? If not, I do not follow.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/browser-payment-api/issues/361#issuecomment-267337895

Received on Thursday, 15 December 2016 14:18:44 UTC