New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Define Content Security Policy for allowed Payment Pointer origins #29
Comments
Consider that someone, somewhere made the decision not to have a CSP directive govern the Payment Request API, but instead as a policy-controlled feature named I don't think there's a need for a CSP directive if there is a FP feature... |
@Malvoz this is for a different purpose. This allows the site owner to define restrictions around the origins of Payment Pointers that are used. Feature Policy would be for controlling which third-party contexts can be monetized. Or am I misunderstanding? |
A document can impose a Feature-Policy on itself, e.g. by sending along a Feature-Policy HTTP header, or potentially using a In other words Feature-Policy can be delegated both using an HTTP header (which controls the document itself and third-parties), and the |
Right, but it feels like in this case we're using FP to allow (or not) monetization and CSP to specify which Payment Pointers are allowed. |
That makes sense, these are 2 separate concerns. Sorry for the distraction. |
I've added Permission Policy integration in #214, but it would make sense to also restrict the origins from which the setup JSON is sourced. |
Noting, this would need to be added to the Fetch spec.... the WM spec could make note of it tho. |
CSP is now defined in PR #193 |
From #14 (comment) originally posted by @justmoon
... make Web Monetization part of the Content Security Policy in the future. For instance, my CSP could determine which origins I allow for payment pointers:
Content-Security-Policy: default-src 'none'; monetization-src mywallet.com
Which would allow payment pointers starting with $mywallet.com.
The text was updated successfully, but these errors were encountered: