search

w3c / payment-method-manifest

Specification for Web Payments payment method manifests
https://w3c.github.io/payment-method-manifest/
Other
9 stars 13 forks source link

Fetches should probably use CORS #22

Closed domenic closed 6 years ago

domenic commented 6 years ago

Now that we have a client, we should be respecting the CORS protocol in all these fetches. I meant to include this in #21 but did not.

In particular, this would mean that cross-origin manifests would need to have the proper headers, such as Access-Control-Allow-Origin: *.

This would apply for both the PMM fetching and the web app manifest fetching.

@rsolomakhin is this reasonable in Chrome's implementation?

rsolomakhin commented 6 years ago

@domenic yes, that's the plan. @marcoscaceres: is this the one you had in mind?

marcoscaceres commented 6 years ago

Yep, and we need a strict referrer policy too.

domenic commented 6 years ago

@marcoscaceres let me quickly fix this, and you can open a separate issue with some details on referrer policy? Right now we use the default "client" referrer where it just gets the default referrer URL of the global like everything else, but we can easily change that.