Re: [w3c/payment-handler] Origin definitions are imprecise (#263) from Domenic Denicola on 2018-04-03 (public-webpayments-specs@w3.org from April 2018)

From: Domenic Denicola <notifications@github.com>
Date: Tue, 03 Apr 2018 21:15:11 +0000 (UTC)
To: w3c/payment-handler <payment-handler@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3c/payment-handler/issues/263/378401771@github.com>

Consider this scenario: window A, at `https://a.example.com/`, creates a PaymentRequest object `pr`, then uses window.open() to create window B at `https://b.example.com/`. (Both windows set `document.domain = "example.com"` so that they can synchronously talk to each other despite being cross-origin.)

It passes the PaymentRequest object to window B. The user clicks a button inside window B, whose click handler calls `pr.show()`.

Is `topLevelOrigin` intended to be `a.example.com` or `b.example.com`? Both are top-level browsing contexts.

You can make this example even more convoluted by, e.g., using the `PaymentRequest.prototype.show` method from a window C, or make the button be inside iframe D nested inside window B, or similar.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/payment-handler/issues/263#issuecomment-378401771

Received on Tuesday, 3 April 2018 21:16:12 UTC