Re: [w3c/payment-request] Disable Payment Request API in CSP/iframe sandbox (#698) from Ian Clelland on 2018-05-04 (public-webpayments-specs@w3.org from May 2018)

From: Ian Clelland <notifications@github.com>
Date: Fri, 04 May 2018 08:21:12 -0700
To: w3c/payment-request <payment-request@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3c/payment-request/issues/698/386633587@github.com>

So, to disable paymentrequest completely in *any* frame, whether same- or cross- origin, sandboxed or not, it is possible to use `allow="payment 'none'"`.

Then, even in the least-sandboxed sandbox:

```html
<iframe allow="payment 'none'" sandbox="allow-same-origin allow-scripts" srcdoc="..."></iframe>
```

the PaymentRequest API will be denied.

That won't stop a malicious script from reaching up into `parent` and forcing *it* to call the API, (or removing the attribute, or even the sandbox attribute, and reloading itself,) but if you're same-origin with your parent, then you've already given up on a lot of origin-based security protections.

Is dropbox.com/enterprise using `allow-same-origin` and `allow-scripts`? That's the only way that it should be able to request payment in a sandbox (but has all of the other problems above).

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/payment-request/issues/698#issuecomment-386633587

Received on Friday, 4 May 2018 15:21:35 UTC