Contact emailssmcgr...@chromium.org, rous...@chromium.org Specificationhttps://www.w3.org/TR/payment-method-manifest/#processing-model
Summary Deprecate the ability for PaymentHandler to bypass the connect-src CSP policy when fetching the manifest. After this deprecation, a site's connect-src CSP policy will need to allow for the payment method URL specified in a PaymentRequest call, as well as any other URLs that the method chains to fetch its manifest. Blink componentBlink>Payments <https://bugs.chromium.org/p/chromium/issues/list?q=component:Blink%3EPayments> Motivation Content Security Policy (CSP) directives enable a site to detect and mitigate various forms of attacks including Cross-Site Scripting, data injection, and data theft. Specifically, the connect-src[0] directive limits which URLs can be loaded via various script interfaces. Web-based PaymentHandlers are loaded by specifying a URL to the PaymentRequest API, which the browser then uses to fetch a manifest file for the PaymentHandler. This fetching (of various URLs along the way[1]) does not currently obey connect-src within Chrome and so could be used as a data exfiltration method. For example, injected script on https://example.org could specify a (invalid) payment method of https://attacker.com/exfiltrate?data=foobar, where 'foobar' is some secret stolen from example.org. To defeat such an attack, we intend to make PaymentHandler requests fall under the purview of the connect-src CSP policy. This may require action from both PaymentHandler apps and the sites (merchants) that use them. The PaymentHandler app will have to determine all URLs that its app may rely on (e.g., including redirects and the multiple manifest files) and publish this list somewhere. Sites (merchants) using PaymentRequest will have to make sure that if they have a connect-src CSP, it allows for the payment app that they want. [0]: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/connect-src [1]: https://www.w3.org/TR/payment-method-manifest/#fetch-pmm TAG review statusNot applicable Risks Interoperability and Compatibility*Gecko*: N/A Firefox does not currently implement or ship PaymentHandler. *WebKit*: N/A Safari does not currently implement or ship PaymentHandler. *Web developers*: No signals WebView application risks Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications? None: PaymentHanlders are not supported in WebView. Debuggability CSP violations print console error messages. Is this feature fully tested by web-platform-tests <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md> ?No Flag name#payment-handler-csp Requires code in //chrome?No Tracking bughttps://crbug.com/1349091 Launch bughttps://crbug.com/1349093 Estimated milestones DevTrial: 106 Link to entry on the Chrome Platform Status https://chromestatus.com/feature/6286595631087616 This intent message was generated by Chrome Platform Status <https://chromestatus.com/>. -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAMMzaWFzTUaOT1siS7t0YGKt2jsF0QdvP5A1Hbyq7yfRrHSRkw%40mail.gmail.com.
