Received: from sog-mx-4.v43.ch3.sourceforge.com ([172.29.43.194] helo=mx.sourceforge.net) by sfs-ml-2.v29.ch3.sourceforge.com with esmtp (Exim 4.76) (envelope-from ) id 1WjegJ-0004gO-9L for bitcoin-development@lists.sourceforge.net; Mon, 12 May 2014 01:05:27 +0000 Received-SPF: pass (sog-mx-4.v43.ch3.sourceforge.com: domain of coinbase.com designates 209.85.213.175 as permitted sender) client-ip=209.85.213.175; envelope-from=andy@coinbase.com; helo=mail-ig0-f175.google.com; Received: from mail-ig0-f175.google.com ([209.85.213.175]) by sog-mx-4.v43.ch3.sourceforge.com with esmtps (TLSv1:RC4-SHA:128) (Exim 4.76) id 1WjegI-0001WT-Ca for bitcoin-development@lists.sourceforge.net; Mon, 12 May 2014 01:05:27 +0000 Received: by mail-ig0-f175.google.com with SMTP id uq10so3216330igb.2 for ; Sun, 11 May 2014 18:05:20 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:date:message-id:subject:from:to :content-type; bh=Hgh8CM9fOLT8g78NPLB1sEC2iU9l2HjDpJndZy2qzMM=; b=NR+QU97IS7PHzNZtyjJWasPoDwjFy0ozUdjhKvwouRvBH3O5d6bwfkCQItZiHSoTYa EtSltQV7uNy8NjyoUoMOesfgogcYC7+j9H2KMXU+Pa8VIyBkKF2Vn1CaLJKHpbGKi9xk 3WnDia6TIflVGnri+2iuRMpLlrpH+mSm5C8nmkdke8AeUr/DwmiM99NZZj4IuJ9WVTHU GD6D9F/1bGtvZOyKZb8YHeOCesfb7oMIH5WAMrDKP2hYyIy8hcjLeKvIPgfDch3bHUYS bUuQi36w8ILhQCkukStIMMbwkcYLnQ13SQk3VE8ibNv4bBQ3oTGA5uiearYAQ/q65I6p pFvA== X-Gm-Message-State: ALoCoQmF+Lz6emOeiqBsNcmfDEzJxh1/txYxZPlhoBK6+GoOqC5P2trHXKsJdvMtuPDE/P2S9XGo MIME-Version: 1.0 X-Received: by 10.50.142.104 with SMTP id rv8mr2366399igb.29.1399856720199; Sun, 11 May 2014 18:05:20 -0700 (PDT) Received: by 10.43.162.201 with HTTP; Sun, 11 May 2014 18:05:20 -0700 (PDT) Date: Sun, 11 May 2014 18:05:20 -0700 Message-ID: From: Andy Alness To: bitcoin-development@lists.sourceforge.net Content-Type: multipart/alternative; boundary=001a11c3db008b557b04f9298a03 X-Spam-Score: -0.5 (/) X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. -1.5 SPF_CHECK_PASS SPF reports sender host as permitted sender for sender-domain -0.0 SPF_PASS SPF: sender matches SPF record 1.0 HTML_MESSAGE BODY: HTML included in message X-Headers-End: 1WjegI-0001WT-Ca Subject: [Bitcoin-development] Allow cross-site requests of payment requests X-BeenThere: bitcoin-development@lists.sourceforge.net X-Mailman-Version: 2.1.9 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 12 May 2014 01:05:27 -0000 --001a11c3db008b557b04f9298a03 Content-Type: text/plain; charset=UTF-8 Would it be a terrible idea to amend BIP 70 to suggest implementors include a "Access-Control-Allow-Origin: *" response header for their payment request responses? I don't think this opens up any useful attack vectors. I ask because this would make it practical for pure HTML5 web wallets to use the payment protocol entirely in-browser. Without this I think it would be necessary for the server hosting the wallet's HTML to fetch payment requests on the browser's behalf. This is somewhat inelegant and has security/resource implications for the back-end. -Andy --001a11c3db008b557b04f9298a03 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable

Would it be a terrible idea to amend BIP 70 to suggest imp= lementors include a "Access-Control-Allow-Origin: *" response hea= der for their payment request responses? I don't think this opens up an= y useful attack vectors.

I ask because this would make it practical for pure HTM= L5 web wallets to use the payment protocol entirely in-browser. Without thi= s I think it would be necessary for the server hosting the wallet's HTM= L to fetch payment requests on the browser's behalf. This is somewhat i= nelegant and has security/resource implications for the back-end.

-Andy

--001a11c3db008b557b04f9298a03--