Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Restrict MIME types of Web Payment App navigation #383

Open
maxlgu opened this issue Jan 20, 2021 · 2 comments
Open

Restrict MIME types of Web Payment App navigation #383

maxlgu opened this issue Jan 20, 2021 · 2 comments

Comments

@maxlgu
Copy link
Contributor

maxlgu commented Jan 20, 2021

Currently, Web Payment App does not have restrictions on the MIME types of its navigation. This makes it possible for the payment apps to navigate to, for example, PDF, which is lesser used and supported in payment handler. This unnecessarily exposes payment handler API to the vulnerabilities of these surfaces. Thus, I suggest restricting the MIME types of navigations so as to reduce the security attack surface. For example, we can allowlist the following MIME types:

  • text/*
  • image/*
  • video/*
  • application/javascript
  • application/xml
  • application/json
@maxlgu
Copy link
Contributor Author

maxlgu commented Jan 20, 2021

@rsolomakhin @danyao

@rsolomakhin
Copy link
Collaborator

I think that's a good idea.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@rsolomakhin @maxlgu