Restrict origin of "default_applications"

w3c / payment-method-manifest

Specification for Web Payments payment method manifests

https://w3c.github.io/payment-method-manifest/

Other

9 stars 13 forks source link

Restrict origin of "default_applications" #34

Open rsolomakhin opened 5 years ago

rsolomakhin commented 5 years ago

Since browsers may use the "default_applications" URL for just-in-time installs of service workers, the validation algorithm should check that this URL is of the same origin as the payment method manifest URL. This will ensure that https://alice.com would install service workers only from https://alice.com. This is especially important for websites that can host arbitrary user data, such as https://github.com, where, for example, Eve can trick https://alice.github.io/ to host a payment method manifest with "default_applications": ["https://eve.github.io"].

For example, this is valid:

https://alice.github.io/pmm.json → {"default_applications": ["https://alice.github.io/app.json"]}

But this should not be valid:

https://alice.github.io/pmm.json → {"default_applications": ["https://eve.github.io/app.json"]}

danyao commented 5 years ago

I'm a little concerned that this increases the coupling between payment method ownership and payment app provider. For example, this change would eliminate options such as W3C hosting a payment method manifest for SRC - although perhaps the decision to not go down that route means this option is not valuable.

Taking a step back, I have two questions:

What is the purpose of default_applications? If it is only meant for JIT, then the spec [1] should state that.
What is the attack vector if we allow installing service worker from a different origin as the payment method manifest?

[1] https://w3c.github.io/payment-method-manifest/

rsolomakhin commented 5 years ago

What is the purpose of default_applications? If it is only meant for JIT, then the spec [1] should state that.

You're right, that's the purpose of "default_applications" and the spec should state that.

What is the attack vector if we allow installing service worker from a different origin as the payment method manifest?

The relevant discussion is here: https://crbug.com/910305.

adrianhopebailie commented 5 years ago

It seems like this restriction should adhere to what's defined in supported_origins no? If the manifest at alice.github.io explicitly allows apps from https://eve.github.io then this should be okay.

Allowed:

{
  "default_applications": ["https://eve.github.io/app.json"], 
  "supported_origins": ["https://eve.github.io", "https://alice.github.io"]
}

Allowed:

{
  "default_applications": ["https://eve.github.io/app.json"], 
  "supported_origins": "*"
}

Not Allowed:

{
  "default_applications": ["https://eve.github.io/app.json"]
}

Not Allowed:

{
  "default_applications": ["https://eve.github.io/app.json"], 
  "supported_origins": ["https://alice.github.io"]
}

I agree with @danyao that this seems to be unnecessarily coupling the payment method ownership with default app ownership but perhaps that is a compromise we have to make for security.