- From: Frédéric Wang <notifications@github.com>
- Date: Mon, 19 Apr 2021 00:43:20 -0700
- To: w3c/payment-method-id <payment-method-id@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Monday, 19 April 2021 07:43:34 UTC
In https://w3c.github.io/payment-method-id/#validation the following security checks are performed: * If url's scheme is not "https", return false. * If url's username or password is not the empty string, return false. Chromium's implementation does the following ( https://source.chromium.org/chromium/chromium/src/+/master:third_party/blink /renderer/modules/payments/payments_validators.cc;l=165;drc=82d9604867706f5b9833f511acd47dffc58e6d91 ): * If url's scheme is "https", return true. * If url's scheme is not "http", return false. * If url's origin is potentially trustworthy ( https://w3c.github.io/webappsec-secure-contexts/#is-origin-trustworthy ) (And equivalent form would be url's scheme is https://fetch.spec.whatwg.org/#http-scheme and url is https://w3c.github.io/webappsec-secure-contexts/#is-url-trustworthy) One argument for allowing APIs on non-HTTPS server is so that web developers to experiment their implementation before publication e.g. using an easy-to-test localhost server. I'm not sure whether that applies to web payment, will open a bug on Chromium's side. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/w3c/payment-method-id/issues/65
Received on Monday, 19 April 2021 07:43:34 UTC