- From: Danyao Wang <notifications@github.com>
- Date: Mon, 02 Mar 2020 08:57:08 -0800
- To: w3c/manifest <manifest@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <w3c/manifest/issues/851@github.com>
The [Payment Handler API] introduces a new flow where a web app manifest can be triggered as part of the fetching flow for a "payment method manifest". It's not clear in this case, which CSP policy should apply to the items loaded from the web app manifest. A specific edge case was identified in http://crbug.com/1055360. The spec currently states in [Section 9.2]: > 9.2 Content security policy of image resources > The security policy that governs whether a user agent can fetch an icon image is governed by the img-src directive [CSP3] associated with the manifest's owner Document. In the payment handler flow, there is no "owner Document" for the web app manifest per se. The currently implemented behavior in Chrome (after http://crrev.com/c/2076661) is to use the CSP policy of the merchant document that triggered the Payment Request. However, as @mgiuca points out in [#c8](https://bugs.chromium.org/p/chromium/issues/detail?id=1055360#c8), this doesn't make complete sense because the requester page (e.g. a merchant) is often a different entity from the payment method manifest (e.g. a payment app), which actually triggers the web app manifest. In this case, the requester page doesn't have a direct relationship with the web app manifest. [Payment Handler API]: https://w3c.github.io/payment-handler/#authorized-payment-apps [Section 9.2]: https://w3c.github.io/manifest/#content-security-policy-of-image-resources -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/w3c/manifest/issues/851
Received on Monday, 2 March 2020 16:57:21 UTC