Published on: 2014-05-12T17:21:33+00:00
The discussion revolves around the security concerns associated with mobile code fetching random web resources, which can lead to unexpected security vulnerabilities. The proposal suggests allowing payment requests/payments to be accessed cross-site, as they already need to be publicly accessible endpoints from the server's perspective. However, implementing the payment protocol in browser-sandboxed JavaScript would require someone willing to fully implement it, including features like root cert store, ASN.1 parsing, and RSA.Despite the challenges, there is still value in fetching the payment request cross-site, even if the request payload is validated by a third party using a more conventional TLS/crypto suite. The author finds the idea of exposing x.509/RSA/ASN.1/chain verification functionality in browsers to be beneficial and easily achievable. However, the author acknowledges that without the ability to implement this proposal, it is unlikely to gain popularity.Another point of discussion is amending BIP 70, which suggests including an "Access-Control-Allow-Origin: *" response header for payment request responses. This amendment aims to prevent security vulnerabilities arising from mobile code fetching random web resources. Implementing the payment protocol in browser-sandboxed JavaScript may not be widely accepted, making the usefulness of this suggestion uncertain.Andy proposes amending BIP 70 to recommend implementers to include the "Access-Control-Allow-Origin: *" response header for their payment request responses. This approach would allow HTML5 web wallets to use the payment protocol entirely within the browser, eliminating the need for the server hosting the wallet's HTML to fetch payment requests on behalf of the browser. Andy argues that this method is more elegant and has fewer security and resource implications for the back-end. He also believes that this amendment does not introduce any significant attack vectors.
Updated on: 2023-08-01T09:14:07.238438+00:00