LGTM1 On Wed, Sep 21, 2022 at 7:30 PM Rouslan Solomakhin <[email protected]> wrote:
> Contact [email protected], [email protected] > > Specification > https://www.w3.org/TR/payment-method-manifest/#processing-model > > Summary > > Deprecate the ability for Web Payment API to bypass the connect-src CSP > policy when fetching the manifest. After this deprecation, a site's > connect-src CSP policy will need to allow for the payment method URL > specified in a PaymentRequest call, as well as any other URLs that the > method chains to fetch its manifest. > > Blink componentBlink>Payments > <https://bugs.chromium.org/p/chromium/issues/list?q=component:Blink%3EPayments> > > Motivation > > Content Security Policy (CSP) directives enable a site to detect and > mitigate various forms of attacks including Cross-Site Scripting, data > injection, and data theft. Specifically, the connect-src[0] directive > limits which URLs can be loaded via various script interfaces. Web-based > PaymentHandlers are loaded by specifying a URL to the PaymentRequest API, > which the browser then uses to fetch a manifest file for the > PaymentHandler. This fetching (of various URLs along the way[1]) does not > currently obey connect-src within Chrome and so could be used as a data > exfiltration method. For example, injected script on https://example.org > could specify a (invalid) payment method of > https://attacker.com/exfiltrate?data=foobar, where 'foobar' is some > secret stolen from example.org. To defeat such an attack, we intend to > make PaymentHandler requests fall under the purview of the connect-src CSP > policy. This may require action from both PaymentHandler apps and the sites > (merchants) that use them. The PaymentHandler app will have to determine > all URLs that its app may rely on (e.g., including redirects and the > multiple manifest files) and publish this list somewhere. Sites (merchants) > using PaymentRequest will have to make sure that if they have a connect-src > CSP, it allows for the payment app that they want. [0]: > https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/connect-src > [1]: https://www.w3.org/TR/payment-method-manifest/#fetch-pmm > > > TAG review statusNot applicable > > Risks > Interoperability and Compatibility > > *Gecko*: N/A. Does not implement or ship PaymentHandler. > *WebKit*: N/A. Does not implement or ship PaymentHandler. > *Web developers*: No signals. > *Other signals*: No signals. > > WebView application risks > > None: PaymentHanlders are not supported in WebView. > > Debuggability > > CSP violations print console error messages. > > Is this feature fully tested by web-platform-tests?No > > Flag name#web-payment-api-csp > > Requires code in //chrome?False > > Tracking bughttps://crbug.com/1349091 > > Launch bughttps://crbug.com/1349093 > > Estimated milestones > Print a deprecation warning in developer console: 108-110 > Remove CSP bypass: 111 > Reverse origin trial if necessary for anyone to opt out: 111-113. > > Link to entry on the Chrome Platform Status > https://chromestatus.com/feature/6286595631087616 > > Links to previous Intent discussionsIntent to prototype > <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/cammzawfztuaot1sis7t0ygkt2jsf0qdvp5a1hbyq7yfrrhs...@mail.gmail.com> > . > Intent to experiment > <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAMMzaWFUbSFNuCbyefZKuSDmFtOd=d5xsopve0p6pwoxvpg...@mail.gmail.com> > . > > This intent message was generated by Chrome Platform Status > <https://chromestatus.com/>. > > -- > You received this message because you are subscribed to the Google Groups > "blink-dev" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAMMzaWHB8fHC0WB%2BHRNmkQxbpy27v9ziYq-pmUqR9xJvm7Kf2Q%40mail.gmail.com > <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAMMzaWHB8fHC0WB%2BHRNmkQxbpy27v9ziYq-pmUqR9xJvm7Kf2Q%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAL5BFfV5Ms0%2Biwrjm%3Ds7DtW5ryxH9t4mPSgTGRVzZ9r4oMxavA%40mail.gmail.com.
