- From: Marcos Cáceres <notifications@github.com>
- Date: Sun, 28 May 2017 22:14:59 -0700
- To: w3c/browser-payment-api <browser-payment-api@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <w3c/browser-payment-api/pull/540@github.com>
Through [newly added web platform tests](https://w3c-test.org/payment-request/), we discovered that it was possible to crash various browsers through unreasonably large inputs (e.g., unrealistically large currency values of sizes of 10<sup>102</sup>). Or [absurdly sized payment request `id`s values](https://bugs.chromium.org/p/chromium/issues/detail?id=725744#c16). This differs across platforms, because of various platform specific limits. E.g., string size limits are different on Android vs on desktop platforms etc. As such, naturally, user agents will need to guard against unreasonably-large inputs (hence this PR). Accompanying this change, we will change the web platform tests to limit inputs to a size of 1024 characters. That's large enough to accommodate must ridiculous values (again, e.g., a currency being 1024 characters long), but not risk hitting platform specific limits. What we might do, is include these stress tests nonetheless, but just have them in try/catch blocks, to ensure the browser doesn't crash - but make no assumption that browsers will be able to handle these large values. @foolip, @jgraham, @zcorpan, would appreciate your input. Does the change to the web platform tests sound reasonable? Is there precedence we should follow? N.B.: Firefox and Chrome have been patched or are being patched to fix the crashes. But more evil tests to come! 😈 You can view, comment on, or merge this pull request online at: https://github.com/w3c/browser-payment-api/pull/540 -- Commit Summary -- * Cater for platform-specific limitations -- File Changes -- M index.html (6) -- Patch Links -- https://github.com/w3c/browser-payment-api/pull/540.patch https://github.com/w3c/browser-payment-api/pull/540.diff -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/w3c/browser-payment-api/pull/540
Received on Monday, 29 May 2017 05:15:34 UTC