-
Rouslan Solomakhin authored
Before this patch, any payment handler could claim to support any payment method name. This would be problematic for the owners of payment methods that require certification, for example. This patch uses the "supported_origins" field of the payment method manifest file to restrict which payment handlers are allowed to use payment methods. https://w3c.github.io/payment-method-manifest/ The "supported_origins" code from Android could not be re-used verbatim, because it also needs to verify authenticity of payment app's claim of their origin based on the Android app's fingerprints, which does not apply to payment handlers. After this patch, payment handlers can use only the following payment methods: 1) Standardized payment methods "basic-card" and "interledger". 2) URL payment methods with the same origin as the payment handler, 3) URL payment methods whose manifests state "supported_origins": "*", 4) URL payment methods whose "supported_origins" is a list that includes the origin of this payment handler. Bug: 763417 Change-Id: I7668f34f0a6a87d045dde1dba4de4b5553844760 Reviewed-on: https://chromium-review.googlesource.com/658062 Commit-Queue: Rouslan Solomakhin <rouslan@chromium.org> Reviewed-by: Sylvain Defresne <sdefresne@chromium.org> Reviewed-by: Scott Violet <sky@chromium.org> Reviewed-by: Peter Kasting <pkasting@chromium.org> Reviewed-by: Ganggui Tang <gogerald@chromium.org> Reviewed-by: Mathieu Perreault <mathp@chromium.org> Cr-Commit-Position: refs/heads/master@{#503147}
de01253c