Would it be a terrible idea to amend BIP 70 to suggest implementors include
a "Access-Control-Allow-Origin: *" response header for their payment
request responses? I don't think this opens up any useful attack vectors.

I ask because this would make it practical for pure HTML5 web wallets to
use the payment protocol entirely in-browser. Without this I think it would
be necessary for the server hosting the wallet's HTML to fetch payment
requests on the browser's behalf. This is somewhat inelegant and has
security/resource implications for the back-end.

"Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
Instantly run your Selenium tests across 300+ browser/OS combos.
Get unparalleled scalability from the best Selenium testing platform available
Simple to use. Nothing to install. Get started now for free."
Bitcoin-development mailing list

Reply via email to