> We could close this by saying; "The PMI spec requires that the manifest can be fetched securely so integrity checking is redundant" but I'm not sure if that is true?
It depends how the fetch is initiated - and it contains a way of verifying the integrity... see, for example, https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity
If it's delivered on TLS, then it can be validated, so long as the page that initiated the request provides the hash to validate against.
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/webpayments-method-identifiers/issues/18#issuecomment-279330442