Re: [w3c/browser-payment-api] Security hole in payment API when a constructor from a no longer active document is invoked (#361) from Boris Zbarsky on 2016-12-15 (public-webpayments-specs@w3.org from December 2016)

From: Boris Zbarsky <notifications@github.com>
Date: Thu, 15 Dec 2016 07:38:32 -0800
To: w3c/browser-payment-api <browser-payment-api@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3c/browser-payment-api/issues/361/267358575@github.com>

> Are you referring here to the model of snapshotting the attribute at document creation time?

No, I'm referring to walking up through the node document of the iframe element you're nested through, as opposed to walking up to the parent browsing context and then trying to recover a document.  This part was addressed by switching to the HTML "allowed to use" concept, which already does this properly.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/browser-payment-api/issues/361#issuecomment-267358575

Received on Thursday, 15 December 2016 15:39:34 UTC