> On Jul 2, 2015, at 4:27 PM, Andy McKay <[email protected]> wrote: > > >> On Jul 2, 2015, at 1:33 PM, Shane Tomlinson <[email protected] >> <mailto:[email protected]>> wrote: >> >> Ah, I conflated Marketplace with Payments in my mind. What are your iframe >> plans for Payments, and are there any alternatives to using an iframe, >> possibly the redirect flow? > > Possibly, we were hoping to provide payments in a low key way as possible and > were doing our best to provide a flow similar to your iframe flow. i.e. > > * site does iframe login using your library > * then opens up an iframe using our library using payments-client > * a promise is completed in the calling site, when the payment is complete > > You can see that sort of flow here: http://pay.dev.mozaws.net/ > <http://pay.dev.mozaws.net/> (video > http://andymckay.github.io/presentations/mozilla-q2-2015-payments/media/pay-fxa-first-purchase.ogg > > <http://andymckay.github.io/presentations/mozilla-q2-2015-payments/media/pay-fxa-first-purchase.ogg>) > > The flows are independent, if the iframe flow for FxA was removed, our > payments flow could still work in an iframe. > > So from our point of view, its more up to the clients that FxA has and what > they’d like to do. We think the iframe is pretty spiffy though and I wish > more people would use it.
To reiterate, we like the iframe flow for payments because it seems like the least intrusive way to submit a payment (on desktop). We do not want to redirect the user to a new page nor do we want to use popups. Since you mentioned security in your original approach, I’m cc’ing Adam Muntner here; he’s been helping us with the security around payments. When we originally talked about using an iframe, we felt the security aspects were tolerable since we were limiting usage to Mozilla properties only. Kumar > >> Firstrun flow is distinct from your work, the first run flow is the tour >> that is displayed the first time a Firefox user opens Firefox with a new >> profile. >> >> Thanks Andy, >> Shane >> >> >> On Thu, Jul 2, 2015 at 9:18 PM, Andrew McKay <[email protected] >> <mailto:[email protected]>> wrote: >> I don't think the Marketplace ever supported the iframe flow, but you'd have >> to ask the Marketplace about their plans (we don't work on it anymore). >> >> Would be concerned that this affects payments who were planning on using the >> iframe flow using the library you wrote, but then you confused me by saying >> " iframe support would still be available for the first run flow". >> >> Sorry, I'm not up on the terminology and don't know the full extent of your >> proposal. >> >> On Thu, Jul 2, 2015 at 7:59 AM, Shane Tomlinson <[email protected] >> <mailto:[email protected]>> wrote: >> I propose we remove iframe support for OAuth reliers. >> >> We currently allow OAuth reliers and the upcoming firstrun flow to iframe >> FxA. Iframe support was added to allow Marketplace to embed FxA in-content. >> >> Some fairly byzantine client-side checks are performed to ensure we aren't >> opening users up to phishing attacks. Those checks are complex, and >> honestly, pretty gross. >> >> Ryan Kelly asked a good question - if no OAuth reliers currently ifram FxA, >> why do we even offer the functionality? >> >> Marketplace was able to integrate FxA without using an iframe. No other >> OAuth reliers that I know of use the iframe. I'd like to rip out OAuth >> relier iframe support and reduce the possible attack surface area. >> >> Without iframe support, could simplify the content server, 123done (a test >> relier), and the fxa-relier-client. >> >> Note, iframe support would still be available for the first run flow, no >> changes there. >> >> Andy and Stuart, this would primarily affect you. Does anybody else know of >> an OAuth relier that iframes FxA? >> >> Shane >> >> ------------------------ >> >> [1] - https://tools.ietf.org/html/rfc7034#section-2.1 >> <https://tools.ietf.org/html/rfc7034#section-2.1> >> >> > > _______________________________________________ > Dev-fxacct mailing list > [email protected] > https://mail.mozilla.org/listinfo/dev-fxacct
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ Dev-fxacct mailing list [email protected] https://mail.mozilla.org/listinfo/dev-fxacct
