- From: MaxG <notifications@github.com>
- Date: Wed, 20 Jan 2021 11:09:48 -0800
- To: w3c/payment-handler <payment-handler@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Wednesday, 20 January 2021 19:10:01 UTC
Currently, Web Payment App does not have restrictions on the MIME types of its navigation. This makes it possible for the payment apps to navigate to, for example, PDF, which is lesser used and supported in payment handler. This unnecessarily exposes payment handler API to the vulnerabilities of these surfaces. Thus, I suggest restricting the MIME types of navigations so as to reduce the security attack surface. For example, we can allowlist the following MIME types: - text/* - image/* - video/* - application/javascript - application/xml - application/json -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/w3c/payment-handler/issues/383
Received on Wednesday, 20 January 2021 19:10:01 UTC