- From: Jinho Bang <notifications@github.com>
- Date: Fri, 11 Aug 2017 07:40:10 +0000 (UTC)
- To: w3c/payment-handler <payment-handler@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Friday, 11 August 2017 07:40:33 UTC
Seems reasonable to me. I thought it's a little bit strange.
Even if openWindow() takes a normal origin url, it may eventually end up with a cross origin url due to server side redirection. In this case, openWindow() will reject with SecurityError as per current spec but Browser Tab(or Browser Window) is already shown to user. So, although the method is rejected, it will show about:blank or a cross origin page. (@gogerald's point)
Another case is a bit more weird. Please see the following code.
```
e.openWindow(normal_origin_url)
.then(windowClient => {
// openWindow is succeeded but...
windowClient.navigate(cross_origin_url);
});
```
Even if openWindow() is succeeded, the opened window may display a cross origin url due to windowClient.navigate() or location.href.
So, it's too difficult to block a cross origin url during openWindow especially navigation.
I think a ServiceWorker's way (resolving null) is reasonable and consistent.
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/payment-handler/issues/201#issuecomment-321749030
Received on Friday, 11 August 2017 07:40:33 UTC