Re: [paymentrequest] Payment App Registration: Same Origin is problematic for identifying_url (#66)

I'm not completely sure I understand the issue here.

We encountered important same origin policy issues when building the [Taler](https://api.taler.net/#web-integration-handbook) [wallet](http://www.git.taler.net/?p=wallet.git;a=tree), both first when building our first wallet, and then again when updating it from XUL to WebExtensions.  In places, we felt the need to ensure that particular paths were a hard stop for the current page and forced a page transition, sometimes even for some error paths.  In all cases, switching from the less restrictive XUL same origin policy to the more restrictive WebExtensions same origin policy improved our payment application's security.

A priori, I'd expect the browser's origin policy requirements should be treated as absolute.  All payments will need to depart the merchants page to access anything that the user can trust and that can access the user's identity, payment methods, claims, etc.  It doesn't necessary need to replace the current page, but it must not allow repeated back and forth with the merchant page.

We also found a significant difference with the origin policy issues between payments that require the user interaction, and our hypothetical future "valueless" auto-pay currencies, but that's not an issue here. 

---
Reply to this email directly or view it on GitHub:
https://github.com/WICG/paymentrequest/issues/66#issuecomment-188401505

Received on Wednesday, 24 February 2016 18:47:39 UTC