In the same spirit of the privacy & security discussion of payment handlers at the WPWG virtual F2F [1], we should remove the "*" functionality from supported_origins because it poses an asymmetric phishing threat:
Preconditions:
A malicious payment handler, e.g. phishypay.example, somehow manages to install itself and claims support for openpay.example
openpay.example's payment method manifest specifies "*" for supported_origins
Attack:
User visits a trusted merchant, e.g. goodshop.example
The merchant uses a trusted payment method, e.g. openpay.example
Browser invokes phishypay.example, which phishes user for their openpay.example credentials
This attack is dangerous because it doesn't require merchant collusion.
Removing "*" would require merchant collusion with phishypay.example to pull off the same attack, which is a higher bar for malicious actors.
In the same spirit of the privacy & security discussion of payment handlers at the WPWG virtual F2F [1], we should remove the "*" functionality from
supported_origins
because it poses an asymmetric phishing threat:Preconditions:
phishypay.example
, somehow manages to install itself and claims support foropenpay.example
openpay.example
's payment method manifest specifies "*" forsupported_origins
Attack:
goodshop.example
openpay.example
phishypay.example
, which phishes user for theiropenpay.example
credentialsThis attack is dangerous because it doesn't require merchant collusion.
Removing "*" would require merchant collusion with
phishypay.example
to pull off the same attack, which is a higher bar for malicious actors.[1] https://www.w3.org/2020/03/30-wpwg-minutes.html#item02