[w3c/browser-payment-api] The origin restrictions in the PaymentRequest are not nearly strong enough (#332)

Step 3 of the steps in https://w3c.github.io/browser-payment-api/#constructor (I see no way to link to the steps directly) says:

> If the browsing context of the script calling the constructor is a nested browsing context whose origin is different from the top-level browsing context's origin and the nested browsing context is not allowed to make payment requests, then throw a SecurityError. 

This has at least two problems (not counting the already-filed https://github.com/w3c/browser-payment-api/issues/324 and <https://github.com/w3c/browser-payment-api/issues/323>):

1.  Consider the case when our toplevel origin is A, which loads a subframe from origin B, which loads a subframe from origin A.  This innermost frame would be allowed to make payment requests, as the spec is currently written, even if the B subframe is not.  That seems very odd to me.  The secure thing here would be to only allow payment requests in a document if all its ancestor documents can make payment requests, plus whatever other criteria are desired.  This is how feature policy would work, for example.
2.  It's not clear to me that any of this considers that various of the documents involved may not be active, or may not be fully active.  It's hard to tell, exactly, because the other two issues I cite above mean the processing model is really not defined at all here.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/browser-payment-api/issues/332

Received on Wednesday, 30 November 2016 02:57:20 UTC