- From: gogerald <notifications@github.com>
- Date: Mon, 14 Aug 2017 15:50:04 +0000 (UTC)
- To: w3c/payment-handler <payment-handler@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Monday, 14 August 2017 15:50:32 UTC
gogerald commented on this pull request.
> @@ -1705,10 +1705,6 @@
<li>If <var>url</var> is <code>about:blank</code>, return a
<a>Promise</a> rejected with a <a>TypeError</a>.
</li>
- <li>If <var>url</var>'s origin is not the same as the <a>service
- worker</a>'s origin associated with the payment handler, return a <a>
- Promise</a> rejected with a <a>SecurityError</a>.
- </li>
https://bobpay.xyz can do window.location.href = 'https://alicepay.xyz' immediately, so with this check we still can not prevent it happen.
My understanding is that we no need to do any origin related check (if it is user triggered) for openWindow.
The returned "The WindowClient interface of the ServiceWorker API represents the scope of a service worker client that is a document in a browser context, controlled by an active worker."
If the window is opened, redirected or navigated out of the origin, then the service worker has no control of it. We can not find that window through Clients.matchAll.
Make sense?
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/payment-handler/pull/202#discussion_r132987319
Received on Monday, 14 August 2017 15:50:32 UTC