Closed adrianhopebailie closed 7 years ago
You probably don't want them in the URL, you want them on whatever initiates the request (e.g., fetch(request)
, <link>
or whatever).
You probably don't want them in the URL, you want them on whatever initiates the request (e.g., fetch(request), or whatever).
@marcoscaceres the challenge here is that all you have is the URL.
The scenario is this...
A payment request contains a payment method identifier that the browser has never seen before so it does a HEAD request on that URL and get's the location of the payment-method manifest. This can be empty or can contain information such as the payment apps that are allowed to handle requests for this method.
We could close this by saying; "The PMI spec requires that the manifest can be fetched securely so integrity checking is redundant" but I'm not sure if that is true?
We could close this by saying; "The PMI spec requires that the manifest can be fetched securely so integrity checking is redundant" but I'm not sure if that is true?
It depends how the fetch is initiated - and it contains a way of verifying the integrity... see, for example, https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity
If it's delivered on TLS, then it can be validated, so long as the page that initiated the request provides the hash to validate against.
This is outside the scope of this specification, so closing. Please open against the payment manifest spec.
Is it possible (and desriable) to have a way to perform resource integrity checks on the manifest?
Can an SRI hash be put directly into the URL somehow (as a query parameter that IS allowed maybe)?
Related to #17 we might want to use
ni:
URIs that translate to an HTTPS resource.See https://tools.ietf.org/html/draft-farrell-decade-ni-10#section-4 and the examples later showing how
ni://example.com/sha-256;f4OxZX_x_FO5LcGBSKHWXfwtSx-j1ncoSt3SABJtkGk
maps to
http://example.com/.well-known/ni/sha-256/f4OxZX_x_FO5LcGBSKHWXfwtSx-j1ncoSt3SABJtkGk
which could be a redirect to:
http://example.com/payments.manifest
and would allow the browser to validate that the content of the file matches the PMI.
i.e. The SHA256 hash of the content of
http://example.com/payments.manifest
MUST equal 'f4OxZX_x_FO5LcGBSKHWXfwtSx-j1ncoSt3SABJtkGk'