Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Spec] Correctly validate payeeOrigin #160

Merged
merged 4 commits into from
Nov 15, 2021
Merged

[Spec] Correctly validate payeeOrigin #160

merged 4 commits into from
Nov 15, 2021

Conversation

stephenmcgruer
Copy link
Collaborator

@stephenmcgruer stephenmcgruer commented Nov 12, 2021
edited by pr-preview bot
Loading

Fixes #149

Preview | Diff

@stephenmcgruer
Copy link
Collaborator Author

@annevk - PTAL (and apologies for the delay!). I wasn't sure if we should be doing the same 3rd step as postMessage does, which is:

Set targetOrigin to parsedURL's origin.

I assume this is for normalization, but I'm unclear if its desirable for SPC as it seems to be a tuple rather than a string then?

@annevk
Copy link
Member

annevk commented Nov 15, 2021

If you don't have an actual origin, how would you do a same origin check? Internally you also want origins to be "objects". If you need to output it at some point you can serialize it then.

@stephenmcgruer
Copy link
Collaborator Author

how would you do a same origin check

I may not be following you; nowhere in the spec is payeeOrigin subject to a same-origin check, I believe. The payeeOrigin is a claim by the SPC caller as to which origin is receiving payment, which is displayed to the user by the browser and signed into the cryptogram. It may or may not be the same as the origin that SPC was called from.

For example, in a redirect flow, merchant.com will redirect to psp.com, who may then call SPC with payeeOrigin: 'https://merchant.com'. In this flow, the browser has no way to enforce that payeeOrigin is anything in particular, but that's ok - we don't have the ability to enforce that (e.g.) the transaction amount is correct either. The browser's job is to clearly indicate to the user what transaction information they are agreeing to, and then sign that for later validation/verification by the Relying Party (e.g., the bank).

@annevk
Copy link
Member

annevk commented Nov 15, 2021

Okay, so you essentially use a serialized form of the origin for signing (which would still end up being compared I suspect at some other point by another party?).

In that case you do still want to extract the origin from URL. Then you probably want to check that it's not an opaque origin (and fail if it is one). And I guess you might even want to enforce that the origin's scheme is https? Then you want to serialize the origin and use the resulting value for signing.

And yeah, normalization is important here. E.g., if the supplied value is https://EXAMPLE.example/test, you want to sign with https://example.example, right?

@stephenmcgruer
Copy link
Collaborator Author

Ah yes, very good points. I'm embarrassed - I hadn't even considered that (I now assume) the URL parser would accept https://foo.com/this/is/a/path, nevermind things like opaque origins >_<.

Thanks, I'll update the PR and ping for re-review. I appreciate your help!

@stephenmcgruer
Copy link
Collaborator Author

@annevk - PTAAL. I now check the scheme is https (which I believe rules out opaque origins as well), and then overwrite the input with the normalization. It's a little dodgy to do the overwrite (since it makes the Steps to check if a payment can be made non-idempotent), but in practice it 'works' and long-term I expect us to move SPC away from PaymentRequest and to its own API shape (see #65 (comment))

annevk
annevk reviewed Nov 15, 2021
View reviewed changes
Copy link
Member

@annevk annevk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah this works I think. Modifying data is a little weird, but it's a copy so it should be okay.

spec.bs Outdated Show resolved Hide resolved
spec.bs Outdated Show resolved Hide resolved
spec.bs Outdated Show resolved Hide resolved
spec.bs Outdated Show resolved Hide resolved
annevk
annevk approved these changes Nov 15, 2021
View reviewed changes
Copy link
Member

@annevk annevk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks pretty solid, thanks.

(By the way, if you ever need to add something from a WHATWG specification to an anchors block, please file an issue. To a large extent they are code smell.)

spec.bs Outdated Show resolved Hide resolved
@stephenmcgruer @annevk
Update spec.bs
8a23d12 
Co-authored-by: Anne van Kesteren <[email protected]>
@stephenmcgruer
Copy link
Collaborator Author

(By the way, if you ever need to add something from a WHATWG specification to an anchors block, please file an issue. To a large extent they are code smell.)

Ack, thanks (and thanks for the review!)

@stephenmcgruer stephenmcgruer merged commit ea5e611 into main Nov 15, 2021
@stephenmcgruer stephenmcgruer deleted the fully-qualified-origin branch November 15, 2021 17:11
github-actions bot added a commit that referenced this pull request Nov 15, 2021
@stephenmcgruer @github-actions
[Spec] Correctly validate payeeOrigin (#160)
6847d04 
SHA: ea5e611
Reason: push, by @stephenmcgruer

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@annevk annevk annevk approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

What is a fully qualified origin?
2 participants
@stephenmcgruer @annevk