From: Andy Alness <andy@coinbase.com>
To: Mike Hearn <mike@plan99.net>
Cc: Bitcoin Dev <bitcoin-development@lists.sourceforge.net>
Subject: Re: [Bitcoin-development] Allow cross-site requests of payment requests
Date: Mon, 12 May 2014 10:21:33 -0700 [thread overview]
Message-ID: <CALKy-wqMPvchyCCNYSdPXYEA7uNAA+qVaCCXqd5PNkxs1dr2Wg@mail.gmail.com> (raw)
In-Reply-To: <CANEZrP0Ea-goS-Ba58z62E4cv5QKvYzbOkwT0JJPaXLniE_m5g@mail.gmail.com>
[-- Attachment #1: Type: text/plain, Size: 1362 bytes --]
>
> It sounds OK to me, although we should all sleep on it for a bit. The
> reason this header exists is exactly because mobile code fetching random
> web resources can result in surprising security holes.
>
That's fair. From the server perspective, I'd argue that payment requests /
payments already need to be publicly accessible endpoints. Current
practical use requires support for cross-app/cross-device requests for
them. It seems like a reasonable logical extension to explicitly allow for
them to be accessed cross-site as well.
For this to be useful, someone would have to actually want to fully
> implement the payment protocol (with its own root cert store, ASN.1
> parsing, RSA etc) in browser-sandboxed Javascript rather than just
> providing a real app for people to download.
>
I think there is still value in fetching the payment request cross-site
even if the request payload is validated by a 3rd party using a more
conventional TLS/crypto suite. Exposing x.509/RSA/ASN.1/chain verification
functionality strikes me as a useful thing browsers could easily offer but
that's another discussion entirely but sure it could be done all in JS. In
certain environments downloading a "real app" isn't possible/practical.
> Is that really going to be popular, though? I think it's unclear.
>
It certainly won't be if there is no ability :)
-Andy
[-- Attachment #2: Type: text/html, Size: 2231 bytes --]
prev parent reply other threads:[~2014-05-12 17:53 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-05-12 1:05 [Bitcoin-development] Allow cross-site requests of payment requests Andy Alness
2014-05-12 10:28 ` Mike Hearn
2014-05-12 17:21 ` Andy Alness [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CALKy-wqMPvchyCCNYSdPXYEA7uNAA+qVaCCXqd5PNkxs1dr2Wg@mail.gmail.com \
--to=andy@coinbase.com \
--cc=bitcoin-development@lists.sourceforge.net \
--cc=mike@plan99.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox