Re: [w3c/payment-handler] CanMakePaymentEvent handling algorithm unclear (#330) from Rouslan Solomakhin on 2019-01-23 (public-webpayments-specs@w3.org from January 2019)

From: Rouslan Solomakhin <notifications@github.com>
Date: Wed, 23 Jan 2019 17:51:53 +0000 (UTC)
To: w3c/payment-handler <payment-handler@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3c/payment-handler/issues/330/456900891@github.com>

Very interesting attack vector! We can mitigate this by short-circuiting the `hasEnrolledInstrument()` algorithm when the merchant and the payment handler are from the same origin. In that case, we can fire the `CanMakePaymentEvent` without any privacy violations, because it's a single origin communicating to itself. This behavior would be the same for both regular and private browsing mode, thus removing the possibility of detection of private browsing mode.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/payment-handler/issues/330#issuecomment-456900891

Received on Wednesday, 23 January 2019 17:52:14 UTC