> Would it be a terrible idea to amend BIP 70 to suggest implementors
> include a "Access-Control-Allow-Origin: *" response header for their
> payment request responses? I don't think this opens up any useful attack
> vectors.

It sounds OK to me, although we should all sleep on it for a bit. The
reason this header exists is exactly because mobile code fetching random
web resources can result in surprising security holes.

For this to be useful, someone would have to actually want to fully
implement the payment protocol (with its own root cert store, ASN.1
parsing, RSA etc) in browser-sandboxed Javascript rather than just
providing a real app for people to download.

Is that really going to be popular, though? I think it's unclear.
"Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
Instantly run your Selenium tests across 300+ browser/OS combos.
Get unparalleled scalability from the best Selenium testing platform available
Simple to use. Nothing to install. Get started now for free."
Bitcoin-development mailing list

Reply via email to