Define Content Security Policy for allowed Payment Pointer origins #29
Comments
|
Consider that someone, somewhere made the decision not to have a CSP directive govern the Payment Request API, but instead as a policy-controlled feature named I don't think there's a need for a CSP directive if there is a FP feature... |
|
@Malvoz this is for a different purpose. This allows the site owner to define restrictions around the origins of Payment Pointers that are used. Feature Policy would be for controlling which third-party contexts can be monetized. Or am I misunderstanding? |
|
A document can impose a Feature-Policy on itself, e.g. by sending along a Feature-Policy HTTP header, or potentially using a In other words Feature-Policy can be delegated both using an HTTP header (which controls the document itself and third-parties), and the |
|
Right, but it feels like in this case we're using FP to allow (or not) monetization and CSP to specify which Payment Pointers are allowed. |
|
That makes sense, these are 2 separate concerns. Sorry for the distraction. |
|
I've added Permission Policy integration in #214, but it would make sense to also restrict the origins from which the setup JSON is sourced. |
|
Noting, this would need to be added to the Fetch spec.... the WM spec could make note of it tho. |
|
CSP is now defined in PR #193 |
From #14 (comment) originally posted by @justmoon
... make Web Monetization part of the Content Security Policy in the future. For instance, my CSP could determine which origins I allow for payment pointers:
Content-Security-Policy: default-src 'none'; monetization-src mywallet.comWhich would allow payment pointers starting with $mywallet.com.
The text was updated successfully, but these errors were encountered: