- From: Ian Clelland <notifications@github.com>
- Date: Mon, 07 May 2018 14:04:12 +0000 (UTC)
- To: w3c/payment-request <payment-request@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Monday, 7 May 2018 14:04:59 UTC
> dropbox.com/enterprise is using following CSP sandbox.
`content-security-policy: sandbox allow-forms allow-scripts allow-top-navigation allow-popups;`
That should be sufficient to completely restrict the use of the PaymentRequest API in that frame. That policy should ensure that the frame has an opaque origin, which will be cross-origin with the frame in which it is embedded, and as long as the containing page hasn't explicitly granted access, it will be denied by default. Any other behavior is a bug.
> shouldn't the spec rely on current origin of page when making decisions and if it
did, shouldn't it just work out?
Exactly, that is what should happen in this situation.
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/payment-request/issues/698#issuecomment-387075088
Received on Monday, 7 May 2018 14:04:59 UTC