Re: [w3c/payment-request] Disable Payment Request API in CSP/iframe sandbox (#698) from Jun on 2018-04-28 (public-webpayments-specs@w3.org from April 2018)

From: Jun <notifications@github.com>
Date: Sat, 28 Apr 2018 17:16:39 +0000 (UTC)
To: w3c/payment-request <payment-request@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3c/payment-request/issues/698/385191722@github.com>

Real world example: [dropbox.com/enterprise](https://www.dropbox.com/enterprise) runs with CMS which they made isolation with main [dropbox.com/](https://www.dropbox.com/) using CSP sandbox. XSS in CMS theoretically has no impact on main [dropbox.com/](https://www.dropbox.com/) but in this case, attacker can ask for payment :) 
CC: @devd

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/payment-request/issues/698#issuecomment-385191722

Received on Saturday, 28 April 2018 17:17:07 UTC