* [Bitcoin-development] Allow cross-site requests of payment requests
@ 2014-05-12 1:05 Andy Alness
2014-05-12 10:28 ` Mike Hearn
0 siblings, 1 reply; 3+ messages in thread
From: Andy Alness @ 2014-05-12 1:05 UTC (permalink / raw)
To: bitcoin-development
[-- Attachment #1: Type: text/plain, Size: 565 bytes --]
Would it be a terrible idea to amend BIP 70 to suggest implementors include
a "Access-Control-Allow-Origin: *" response header for their payment
request responses? I don't think this opens up any useful attack vectors.
I ask because this would make it practical for pure HTML5 web wallets to
use the payment protocol entirely in-browser. Without this I think it would
be necessary for the server hosting the wallet's HTML to fetch payment
requests on the browser's behalf. This is somewhat inelegant and has
security/resource implications for the back-end.
-Andy
[-- Attachment #2: Type: text/html, Size: 687 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [Bitcoin-development] Allow cross-site requests of payment requests
2014-05-12 1:05 [Bitcoin-development] Allow cross-site requests of payment requests Andy Alness
@ 2014-05-12 10:28 ` Mike Hearn
2014-05-12 17:21 ` Andy Alness
0 siblings, 1 reply; 3+ messages in thread
From: Mike Hearn @ 2014-05-12 10:28 UTC (permalink / raw)
To: Andy Alness; +Cc: Bitcoin Dev
[-- Attachment #1: Type: text/plain, Size: 746 bytes --]
>
> Would it be a terrible idea to amend BIP 70 to suggest implementors
> include a "Access-Control-Allow-Origin: *" response header for their
> payment request responses? I don't think this opens up any useful attack
> vectors.
>
It sounds OK to me, although we should all sleep on it for a bit. The
reason this header exists is exactly because mobile code fetching random
web resources can result in surprising security holes.
For this to be useful, someone would have to actually want to fully
implement the payment protocol (with its own root cert store, ASN.1
parsing, RSA etc) in browser-sandboxed Javascript rather than just
providing a real app for people to download.
Is that really going to be popular, though? I think it's unclear.
[-- Attachment #2: Type: text/html, Size: 1052 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [Bitcoin-development] Allow cross-site requests of payment requests
2014-05-12 10:28 ` Mike Hearn
@ 2014-05-12 17:21 ` Andy Alness
0 siblings, 0 replies; 3+ messages in thread
From: Andy Alness @ 2014-05-12 17:21 UTC (permalink / raw)
To: Mike Hearn; +Cc: Bitcoin Dev
[-- Attachment #1: Type: text/plain, Size: 1362 bytes --]
>
> It sounds OK to me, although we should all sleep on it for a bit. The
> reason this header exists is exactly because mobile code fetching random
> web resources can result in surprising security holes.
>
That's fair. From the server perspective, I'd argue that payment requests /
payments already need to be publicly accessible endpoints. Current
practical use requires support for cross-app/cross-device requests for
them. It seems like a reasonable logical extension to explicitly allow for
them to be accessed cross-site as well.
For this to be useful, someone would have to actually want to fully
> implement the payment protocol (with its own root cert store, ASN.1
> parsing, RSA etc) in browser-sandboxed Javascript rather than just
> providing a real app for people to download.
>
I think there is still value in fetching the payment request cross-site
even if the request payload is validated by a 3rd party using a more
conventional TLS/crypto suite. Exposing x.509/RSA/ASN.1/chain verification
functionality strikes me as a useful thing browsers could easily offer but
that's another discussion entirely but sure it could be done all in JS. In
certain environments downloading a "real app" isn't possible/practical.
> Is that really going to be popular, though? I think it's unclear.
>
It certainly won't be if there is no ability :)
-Andy
[-- Attachment #2: Type: text/html, Size: 2231 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2014-05-12 17:53 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2014-05-12 1:05 [Bitcoin-development] Allow cross-site requests of payment requests Andy Alness
2014-05-12 10:28 ` Mike Hearn
2014-05-12 17:21 ` Andy Alness
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox