-
Notifications
You must be signed in to change notification settings - Fork 20
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Clarify security check for URL-based payment method identifier #65
Comments
The "potentially trustworthy" http is being allowed for local testing on http://127.0.0.1 and allow-listed (on command-line) origins. We can update the spec to note that web browsers can provide affordances for local testing such as this. |
I believe referring to https://fetch.spec.whatwg.org/#http-scheme + https://w3c.github.io/webappsec-secure-contexts/#is-url-trustworthy would be enough. Note that there is already some explanation about why browsers may consider non-https URLs trustworthy on https://w3c.github.io/webappsec-secure-contexts/#implementation-considerations (albeit not for local servers). |
PaymentsValidators::IsValidMethodFormat currently does the following: * If url's scheme is "https", return true. * If url's scheme is not "http", return false. * Otherwise return whether url's origin is potentially trustworthy [1] This CL replaces the above checks with the equivalent form: * Return whether url is HTTP(S) [2] and potentially trustworthy [3] Note that the specification currently says we should only allow https but that would be a behavior change. A ticket has been opened [4]. Additionally, this helps with the goal of bug 1153336 by removing one call to SecurityOrigin::IsPotentiallyTrustworthy. Bug: 1200225, 1153336 [1] https://w3c.github.io/webappsec-secure-contexts/#is-origin-trustworthy [2] https://fetch.spec.whatwg.org/#http-scheme [3] https://w3c.github.io/webappsec-secure-contexts/#is-url-trustworthy [4] w3c/payment-method-id#65 Change-Id: I0d57e2d4c14e07931be91e32bc798aab2e690106 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2834133 Reviewed-by: Nick Burris <nburris@chromium.org> Commit-Queue: Frédéric Wang <fwang@igalia.com> Cr-Commit-Position: refs/heads/master@{#873836}
PaymentsValidators::IsValidMethodFormat currently does the following: * If url's scheme is "https", return true. * If url's scheme is not "http", return false. * Otherwise return whether url's origin is potentially trustworthy [1] This CL replaces the above checks with the equivalent form: * Return whether url is HTTP(S) [2] and potentially trustworthy [3] Note that the specification currently says we should only allow https but that would be a behavior change. A ticket has been opened [4]. Additionally, this helps with the goal of bug 1153336 by removing one call to SecurityOrigin::IsPotentiallyTrustworthy. Bug: 1200225, 1153336 [1] https://w3c.github.io/webappsec-secure-contexts/#is-origin-trustworthy [2] https://fetch.spec.whatwg.org/#http-scheme [3] https://w3c.github.io/webappsec-secure-contexts/#is-url-trustworthy [4] w3c/payment-method-id#65 Change-Id: I0d57e2d4c14e07931be91e32bc798aab2e690106 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2834133 Reviewed-by: Nick Burris <nburris@chromium.org> Commit-Queue: Frédéric Wang <fwang@igalia.com> Cr-Commit-Position: refs/heads/master@{#873836} GitOrigin-RevId: a72c5d8c637c28b9040e191e8af2ccaa19edebd3
In https://w3c.github.io/payment-method-id/#validation the following security checks are performed:
Chromium's implementation does the following ( https://source.chromium.org/chromium/chromium/src/+/master:third_party/blink/renderer/modules/payments/payments_validators.cc;l=160;drc=82d9604867706f5b9833f511acd47dffc58e6d91 ):
(And equivalent form would be url's scheme is https://fetch.spec.whatwg.org/#http-scheme and url is https://w3c.github.io/webappsec-secure-contexts/#is-url-trustworthy)
One argument for allowing APIs on non-HTTPS server is so that web developers to experiment their implementation before publication e.g. using an easy-to-test localhost server. I'm not sure whether that applies to web payment, will open a bug on Chromium's side (--edit: done at https://bugs.chromium.org/p/chromium/issues/detail?id=1200225 )
The text was updated successfully, but these errors were encountered: