Re: [w3c/payment-request] Disable Payment Request API in CSP/iframe sandbox (#698)

I agree.

Out of curiosity, even if spec says nothing about the sandbox, shouldn't
the spec rely on current origin of page when making decisions and if it
did, shouldn't it just work out?

On Sat, May 5, 2018, 12:20 PM Jun <notifications@github.com> wrote:

> dropbox.com/enterprise <https://www.dropbox.com/enterprise> is using
> following CSP sandbox.
> content-security-policy: sandbox allow-forms allow-scripts
> allow-top-navigation allow-popups;
>
> FYI to the spec editors (of all kinds), you all are doing great job in
> restricting cross-origin frames or insecure context for powerful APIs. But
> in my experience, CSP/iframe sandbox is usually left to implementors and I
> don't think it's a good idea (especially, now we have major website taking
> advantage of sandbox). This was also a spec issue in Web App Manifest
> <https://github.com/w3c/manifest/pull/638>. And what about CredMan?
>
> So I appreciate if spec editors can keep in mind about sandbox and
> restrict powerful APIs in sandboxed content as you do for cross-origin
> frames and insecure context. Thanks.
>
> —
> You are receiving this because you were mentioned.
> Reply to this email directly, view it on GitHub
> <https://github.com/w3c/payment-request/issues/698#issuecomment-386828623>,
> or mute the thread
> <https://github.com/notifications/unsubscribe-auth/AAIXGbOI7569BqBTemvgDMpW7nePw7Dcks5tvftkgaJpZM4S-rpc>
> .
>


-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/payment-request/issues/698#issuecomment-386849029

Received on Sunday, 6 May 2018 02:32:50 UTC