Author: Andy Alness 2014-05-12 17:21:33
Published on: 2014-05-12T17:21:33+00:00
The discussion is about the security of mobile code fetching random web resources, which can result in surprising security holes. The proposal is to allow payment requests/payments to be accessed cross-site, as they already need to be publicly accessible endpoints from the server perspective. However, implementing the payment protocol with its own root cert store, ASN.1 parsing, RSA, etc., in browser-sandboxed JavaScript would require someone to want to fully implement it. Despite this, there is still value in fetching the payment request cross-site, even if the request payload is validated by a third party using a more conventional TLS/crypto suite. The idea of exposing x.509/RSA/ASN.1/chain verification functionality strikes the author as a useful thing browsers could easily offer. Finally, the author believes that if there is no ability to implement this proposal, then it certainly won't be popular.
Updated on: 2023-06-08T22:34:15.548289+00:00