public inbox for bitcoindev@googlegroups.com
 help / color / mirror / Atom feed
* [Bitcoin-development] Allow cross-site requests of payment requests
@ 2014-05-12  1:05 Andy Alness
  2014-05-12 10:28 ` Mike Hearn
  0 siblings, 1 reply; 3+ messages in thread
From: Andy Alness @ 2014-05-12  1:05 UTC (permalink / raw)
  To: bitcoin-development

[-- Attachment #1: Type: text/plain, Size: 565 bytes --]

Would it be a terrible idea to amend BIP 70 to suggest implementors include
a "Access-Control-Allow-Origin: *" response header for their payment
request responses? I don't think this opens up any useful attack vectors.

I ask because this would make it practical for pure HTML5 web wallets to
use the payment protocol entirely in-browser. Without this I think it would
be necessary for the server hosting the wallet's HTML to fetch payment
requests on the browser's behalf. This is somewhat inelegant and has
security/resource implications for the back-end.

-Andy

[-- Attachment #2: Type: text/html, Size: 687 bytes --]

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2014-05-12 17:53 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2014-05-12  1:05 [Bitcoin-development] Allow cross-site requests of payment requests Andy Alness
2014-05-12 10:28 ` Mike Hearn
2014-05-12 17:21   ` Andy Alness

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox