- From: Marcos Cáceres <notifications@github.com>
- Date: Wed, 07 Jun 2017 21:52:22 -0700
- To: w3c/browser-payment-api <browser-payment-api@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Thursday, 8 June 2017 04:53:20 UTC
Unless I've missed something, it seems one can co-opt and untrusted event to do the work of a trusted event*:
```JS
const request = new PaymentRequest(defaultMethods, defaultDetails);
const untrustedEvent = new PaymentRequestUpdateEvent("test");
request.dispatchEvent(ev); // set .target
request.show();
request.onshippingaddresschange = () => {
const update = {
total: {
label: "Untrusted",
amount: {
currency: "USD",
value: "1111.00",
},
},
};
untrustedEvent.updateWith(Promise.resolve(update));
};
```
We might just need to say in `.updateWith()` that if the event is untrusted, throw a `SecurityError` or `NotAllowedError`.
* Chrome ignores this.
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/browser-payment-api/issues/546
Received on Thursday, 8 June 2017 04:53:20 UTC