Change polyfill to use document.dispatchEvent(...) rather than window.postMessage(...)

interledger / web-monetization-projects

Coil projects that use Web Monetization. Primarily Coil's browser extension and related WM polyfills.

web-monetization-projects-coilhq.vercel.app

Apache License 2.0

81 stars 17 forks source link

Change polyfill to use document.dispatchEvent(...) rather than window.postMessage(...) #1436

Closed sublimator closed 3 years ago

sublimator commented 3 years ago

Coordinate with @wmurphyrd WICG/webmonetization#137

wmurphyrd commented 3 years ago

@sublimator does the closed issue mean this change will not be going in?

sublimator commented 3 years ago

@wmurphyrd

Sorry, it made it's way in to 0.0.52 which will be published hopefully next week!

- Reduce <script> injected code to just one [#1254](https://github.com/coilhq/web-monetization-projects/pull/1254) [#1503](https://github.com/coilhq/web-monetization-projects/pull/1503)
- Remove 'unsafe-eval' from CSP in favor of sha256 of singular polyfill [#1542](https://github.com/coilhq/web-monetization-projects/pull/1542)

wmurphyrd commented 3 years ago

Thanks @sublimator! Does #1542 mean CSP pages will allow the polyfill injection and the separate polyfill will longer be required?

sublimator commented 3 years ago

@wmurphyrd

No, depending on the page's CSP policy ( which seems to take precedence ) you may still need to include the polyfill. The main benefit is that it's easier for add-ons to get reviewed/published. The Mozilla/FF add-ons store recently questioned our use of 'unsafe-eval' so we responded by removing it and simply listing the hash of the polyfill.

Thanks.

wmurphyrd commented 3 years ago

@sublimator awesome thanks for explaining. New version of web-monetization-polyfill is published