This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it.

If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Great catch, didn't notice open redirect. I will fix it by only allow same site redirects, https://chromium-review.googlesource.com/c/chromium/src/+/1141046

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/a46ca4b0445c425471244980ea98b9e721f4aea5

commit a46ca4b0445c425471244980ea98b9e721f4aea5
Author: gogerald <gogerald@google.com>
Date: Wed Jul 18 13:56:35 2018

[Payments] Prevent cross site redirects for payment method HEAD

Bug:  863974 
Change-Id: Idfeae3e29ff93b0897e822035d2f35282b6c8ca1
Reviewed-on: https://chromium-review.googlesource.com/1141046
Commit-Queue: Ganggui Tang <gogerald@chromium.org>
Reviewed-by: Mathieu Perreault <mathp@chromium.org>
Cr-Commit-Position: refs/heads/master@{#576026}
[modify] https://crrev.com/a46ca4b0445c425471244980ea98b9e721f4aea5/components/payments/core/payment_manifest_downloader.cc
[modify] https://crrev.com/a46ca4b0445c425471244980ea98b9e721f4aea5/components/payments/core/payment_manifest_downloader_unittest.cc

close this bug as it has been fixed as above, feel free to reopen it if necessary

*** Boilerplate reminders! ***
Please do NOT publicly disclose details until a fix has been released to all our users. Early public disclosure may cancel the provisional reward. Also, please be considerate about disclosure when the bug affects a core library that may be used by other products. Please do NOT share this information with third parties who are not directly involved in fixing the bug. Doing so may cancel the provisional reward. Please be honest if you have already disclosed anything publicly or to third parties. Lastly, we understand that some of you are not interested in money. We offer the option to donate your reward to an eligible charity. If you prefer this option, let us know and we will also match your donation - subject to our discretion. Any rewards that are unclaimed after 12 months will be donated to a charity of our choosing.
*********************************

Thanks for this! The VRP panel decided to award $3,000 for this report, and a $133.70 bonus for the diligence to verify the previous fix.

Great! Finally I’m an elite :)

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot