domenic
commented
6 years ago @rsolomakhin @marcoscaceres as far as I can tell strict-origin-when-cross-origin is pretty reasonable change that helps address this. Any reason not to just change the spec?
Closed marcoscaceres closed 6 years ago
domenic
commented
6 years ago @rsolomakhin @marcoscaceres as far as I can tell strict-origin-when-cross-origin is pretty reasonable change that helps address this. Any reason not to just change the spec?
rsolomakhin
commented
6 years ago I'm OK with this.
marcoscaceres
commented
6 years ago Sounds great. Thanks @domenic.
domenic
commented
6 years ago So going to work on this, I realized that there are actually three requests involved, and right now they all happen to use the page's URL as the referrer:
I think we're mostly concerned about protecting the first of these, right? So that should get strict-origin-when-cross-origin referrer policy.
For the other two, I think instead of changing the referrer policy, we should actually change the referrer, to reflect the resource that initiated the request. So the PMM request's referrer should be the identifier URL, and the web app manifest's referrer should be the PMM's URL. How does that sound?
rsolomakhin
commented
6 years ago That sounds logical, @domenic 👍
We want to restrict the referrer policy to no leak information about a product or service that a user is paying for. At the same time, we want to the payment app hosting the manifest to protect itself from DOS attacks or bad actors.
As such, we need some restrictive origin policy, like "strict-origin-when-cross-origin" or similar...