traviscrist
commented
5 years ago Are there more details to this that can be captured in this issue so others know what the security issues are?
Closed sublimator closed 5 years ago
traviscrist
commented
5 years ago Are there more details to this that can be captured in this issue so others know what the security issues are?
adrianhopebailie
commented
5 years ago I have a suspicion that we are not immune from another extension modifying the Payment Pointers on a site before we process the tags.
This is an issue to track this discussion but @sublimator and I agreed we need some expert opinion from browsers on how to do SPA's safely
sublimator
commented
5 years ago Essentially any 3rd party code, so currently the model is, 'beware of what scripts you pull in' as an integrator and 'be careful what extensions you install' as an end user. The store review/rating process can help with the latter, but of course ...
sublimator
commented
5 years ago Another point worth capturing here is that even before the observation of meta tags change, there was seemingly no real way of knowing from a polyfill (extension or script injected) whether the tags were from an SSL served static html document.
sublimator
commented
5 years ago Beyond of course, re-requesting the document, with all the complications that would involve.
sublimator
commented
5 years ago And of course, it shares these issues with previous imperative donate(...) and monetize(...) apis.
stale[bot]
commented
5 years ago This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
If this issue is important, please feel free to bring it up on the next Interledger Community Group Call or in the Gitter chat.
@adrianhopebailie foresees some security issues with the way we are monitoring for dynamically injected meta tags.