SRI on manifest - Githubissues

w3c / payment-method-id

Payment Method Identifiers specification

https://w3c.github.io/payment-method-id/

Other

23 stars 20 forks source link

SRI on manifest #18

Closed adrianhopebailie closed 7 years ago

adrianhopebailie commented 7 years ago

Is it possible (and desriable) to have a way to perform resource integrity checks on the manifest?

Can an SRI hash be put directly into the URL somehow (as a query parameter that IS allowed maybe)?

Related to #17 we might want to use ni: URIs that translate to an HTTPS resource.

See https://tools.ietf.org/html/draft-farrell-decade-ni-10#section-4 and the examples later showing how

ni://example.com/sha-256;f4OxZX_x_FO5LcGBSKHWXfwtSx-j1ncoSt3SABJtkGk

maps to

http://example.com/.well-known/ni/sha-256/f4OxZX_x_FO5LcGBSKHWXfwtSx-j1ncoSt3SABJtkGk

which could be a redirect to:

http://example.com/payments.manifest

and would allow the browser to validate that the content of the file matches the PMI.

i.e. The SHA256 hash of the content of http://example.com/payments.manifest MUST equal 'f4OxZX_x_FO5LcGBSKHWXfwtSx-j1ncoSt3SABJtkGk'

marcoscaceres commented 7 years ago

You probably don't want them in the URL, you want them on whatever initiates the request (e.g., fetch(request), <link> or whatever).

adrianhopebailie commented 7 years ago

You probably don't want them in the URL, you want them on whatever initiates the request (e.g., fetch(request), or whatever).

@marcoscaceres the challenge here is that all you have is the URL.

The scenario is this...

A payment request contains a payment method identifier that the browser has never seen before so it does a HEAD request on that URL and get's the location of the payment-method manifest. This can be empty or can contain information such as the payment apps that are allowed to handle requests for this method.

We could close this by saying; "The PMI spec requires that the manifest can be fetched securely so integrity checking is redundant" but I'm not sure if that is true?

marcoscaceres commented 7 years ago

We could close this by saying; "The PMI spec requires that the manifest can be fetched securely so integrity checking is redundant" but I'm not sure if that is true?

It depends how the fetch is initiated - and it contains a way of verifying the integrity... see, for example, https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity

If it's delivered on TLS, then it can be validated, so long as the page that initiated the request provides the hash to validate against.

marcoscaceres commented 7 years ago

This is outside the scope of this specification, so closing. Please open against the payment manifest spec.