New issue
Advanced search Search tips

Issue 763417 link

Starred by 1 user

Issue metadata

Status: Fixed
Owner:
Closed: Sep 2017
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Android , Windows , Chrome , Mac
Pri: 1
Type: Feature


Participants' hotlists:
Payment-Handler


Sign in to add a comment

Verify supported origins of service worker payment apps.

Project Member Reported by rouslan@chromium.org, Sep 8 2017

Issue description

Verify supported origins of service worker payment apps.
 
Project Member

Comment 1 by bugdroid1@chromium.org, Sep 20 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/de01253cefb1e951e931efd0153b96b4a6b4b0d2

commit de01253cefb1e951e931efd0153b96b4a6b4b0d2
Author: Rouslan Solomakhin <rouslan@chromium.org>
Date: Wed Sep 20 15:18:34 2017

[Payments] Verify supported origin of service worker payment app.

Before this patch, any payment handler could claim to support any
payment method name. This would be problematic for the owners of payment
methods that require certification, for example.

This patch uses the "supported_origins" field of the payment method
manifest file to restrict which payment handlers are allowed to use
payment methods.

  https://w3c.github.io/payment-method-manifest/

The "supported_origins" code from Android could not be re-used verbatim,
because it also needs to verify authenticity of payment app's claim of
their origin based on the Android app's fingerprints, which does not
apply to payment handlers.

After this patch, payment handlers can use only the following payment
methods:
1) Standardized payment methods "basic-card" and "interledger".
2) URL payment methods with the same origin as the payment handler,
3) URL payment methods whose manifests state "supported_origins": "*",
4) URL payment methods whose "supported_origins" is a list that includes
   the origin of this payment handler.

Bug:  763417 
Change-Id: I7668f34f0a6a87d045dde1dba4de4b5553844760
Reviewed-on: https://chromium-review.googlesource.com/658062
Commit-Queue: Rouslan Solomakhin <rouslan@chromium.org>
Reviewed-by: Sylvain Defresne <sdefresne@chromium.org>
Reviewed-by: Scott Violet <sky@chromium.org>
Reviewed-by: Peter Kasting <pkasting@chromium.org>
Reviewed-by: Ganggui Tang <gogerald@chromium.org>
Reviewed-by: Mathieu Perreault <mathp@chromium.org>
Cr-Commit-Position: refs/heads/master@{#503147}
[modify] https://crrev.com/de01253cefb1e951e931efd0153b96b4a6b4b0d2/chrome/browser/android/payments/service_worker_payment_app_bridge.cc
[modify] https://crrev.com/de01253cefb1e951e931efd0153b96b4a6b4b0d2/chrome/browser/payments/android/payment_manifest_web_data_service_android.h
[add] https://crrev.com/de01253cefb1e951e931efd0153b96b4a6b4b0d2/chrome/browser/payments/manifest_verifier_browsertest.cc
[modify] https://crrev.com/de01253cefb1e951e931efd0153b96b4a6b4b0d2/chrome/browser/web_data_service_factory.cc
[modify] https://crrev.com/de01253cefb1e951e931efd0153b96b4a6b4b0d2/chrome/browser/web_data_service_factory.h
[modify] https://crrev.com/de01253cefb1e951e931efd0153b96b4a6b4b0d2/chrome/test/BUILD.gn
[modify] https://crrev.com/de01253cefb1e951e931efd0153b96b4a6b4b0d2/components/BUILD.gn
[delete] https://crrev.com/c3f22000a05489584ffbd98441eff63b38fe3a46/components/payments/android/BUILD.gn
[delete] https://crrev.com/c3f22000a05489584ffbd98441eff63b38fe3a46/components/payments/android/DEPS
[delete] https://crrev.com/c3f22000a05489584ffbd98441eff63b38fe3a46/components/payments/android/OWNERS
[modify] https://crrev.com/de01253cefb1e951e931efd0153b96b4a6b4b0d2/components/payments/content/BUILD.gn
[modify] https://crrev.com/de01253cefb1e951e931efd0153b96b4a6b4b0d2/components/payments/content/DEPS
[modify] https://crrev.com/de01253cefb1e951e931efd0153b96b4a6b4b0d2/components/payments/content/OWNERS
[add] https://crrev.com/de01253cefb1e951e931efd0153b96b4a6b4b0d2/components/payments/content/manifest_verifier.cc
[add] https://crrev.com/de01253cefb1e951e931efd0153b96b4a6b4b0d2/components/payments/content/manifest_verifier.h
[rename] https://crrev.com/de01253cefb1e951e931efd0153b96b4a6b4b0d2/components/payments/content/payment_manifest_web_data_service.cc
[rename] https://crrev.com/de01253cefb1e951e931efd0153b96b4a6b4b0d2/components/payments/content/payment_manifest_web_data_service.h
[rename] https://crrev.com/de01253cefb1e951e931efd0153b96b4a6b4b0d2/components/payments/content/payment_method_manifest_table.cc
[rename] https://crrev.com/de01253cefb1e951e931efd0153b96b4a6b4b0d2/components/payments/content/payment_method_manifest_table.h
[rename] https://crrev.com/de01253cefb1e951e931efd0153b96b4a6b4b0d2/components/payments/content/payment_method_manifest_table_unittest.cc
[rename] https://crrev.com/de01253cefb1e951e931efd0153b96b4a6b4b0d2/components/payments/content/web_app_manifest_section_table.cc
[rename] https://crrev.com/de01253cefb1e951e931efd0153b96b4a6b4b0d2/components/payments/content/web_app_manifest_section_table.h
[rename] https://crrev.com/de01253cefb1e951e931efd0153b96b4a6b4b0d2/components/payments/content/web_app_manifest_section_table_unittest.cc
[modify] https://crrev.com/de01253cefb1e951e931efd0153b96b4a6b4b0d2/components/payments/core/payment_manifest_downloader.cc
[modify] https://crrev.com/de01253cefb1e951e931efd0153b96b4a6b4b0d2/components/payments/core/payment_manifest_downloader.h
[modify] https://crrev.com/de01253cefb1e951e931efd0153b96b4a6b4b0d2/components/webdata/common/web_data_results.h
[modify] https://crrev.com/de01253cefb1e951e931efd0153b96b4a6b4b0d2/components/webdata_services/BUILD.gn
[modify] https://crrev.com/de01253cefb1e951e931efd0153b96b4a6b4b0d2/components/webdata_services/DEPS
[modify] https://crrev.com/de01253cefb1e951e931efd0153b96b4a6b4b0d2/components/webdata_services/web_data_service_wrapper.cc
[modify] https://crrev.com/de01253cefb1e951e931efd0153b96b4a6b4b0d2/components/webdata_services/web_data_service_wrapper.h

Status: Fixed (was: Started)
Project Member

Comment 3 by bugdroid1@chromium.org, Jan 30 2018

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/21d87b8ef65ff9aea91f81561dc3d1da86fa246a

commit 21d87b8ef65ff9aea91f81561dc3d1da86fa246a
Author: gogerald <gogerald@google.com>
Date: Tue Jan 30 19:14:45 2018

[Payments] Do not override native payment app Ids

Bug:  763417 
Change-Id: Ia02e2e00f2e6a315ae16ee8de852e756a79c0de6
Reviewed-on: https://chromium-review.googlesource.com/891978
Reviewed-by: Rouslan Solomakhin <rouslan@chromium.org>
Commit-Queue: Ganggui Tang <gogerald@chromium.org>
Cr-Commit-Position: refs/heads/master@{#532981}
[modify] https://crrev.com/21d87b8ef65ff9aea91f81561dc3d1da86fa246a/components/payments/content/manifest_verifier.cc
[modify] https://crrev.com/21d87b8ef65ff9aea91f81561dc3d1da86fa246a/components/payments/content/manifest_verifier.h

Sign in to add a comment