Closed marcoscaceres closed 7 years ago
Note that "I was hoping you'd abstract validate a bit somehow instead. Parse -> serialize -> parse seems really hacky." got lost due to a commit. One of the downsides of not addressing all comments in a single commit.
@domenic wrote:
Do you really want to allow about:blank, about:srcdoc, wss: URLs, file: URLs, etc.? (All are potentially trustworthy.)
I think the answer is "no." However, I wonder if there are some use cases for them (e.g., local testing of a payment method?) We've not really discussed those, and I think the intended use cases are for published payment method manifest files.
Do you want to allow usernames or passwords in the URL?
Again, I think the answer is "no" but there might be use cases we've not considered.
What is wrong with queries?
I don't recall the rationale exactly, but I think it had to do with simplicity.
These are good questions.
Ian
This is ready for final review.
Preview | Diff