Would it be a terrible idea to amend BIP 70 to suggest implementors
include a Access-Control-Allow-Origin: * response header for their
payment request responses? I don't think this opens up any useful attack
vectors.
It sounds OK to me, although we should all sleep on it for a bit. The
It sounds OK to me, although we should all sleep on it for a bit. The
reason this header exists is exactly because mobile code fetching random
web resources can result in surprising security holes.
That's fair. From the server perspective, I'd argue that payment requests /
payments already
Would it be a terrible idea to amend BIP 70 to suggest implementors include
a Access-Control-Allow-Origin: * response header for their payment
request responses? I don't think this opens up any useful attack vectors.
I ask because this would make it practical for pure HTML5 web wallets to
use the
3 matches
Mail list logo
