Firefox/Features/Web Payments/Privacy & Security Considerations: Difference between revisions

Jump to navigation Jump to search

Firefox/Features/Web Payments/Privacy & Security Considerations (view source)

Revision as of 22:57, 27 June 2018

384 bytes added ,  27 June 2018
→‎Information Leakage: more clarifications
(→‎Information Leakage: more details and links)
(→‎Information Leakage: more clarifications)
Line 42: Line 42:
== Information Leakage ==
== Information Leakage ==


Because the user's form input (credit card number, shipping address, etc.) is handled by trusted browser code instead of code (often third-party code) on a merchant website, it is much more difficult for unwanted [https://freedom-to-tinker.com/2017/11/15/no-boundaries-exfiltration-of-personal-data-by-session-replay-scripts/ data exfiltration] to occur (e.g., via form tracking and session replay scripts).
When the payment process is loaded in web content on a merchant website, it is easy for code running on that site (often third-party code that has not been vetted for privacy and security vulnerabilities) to engage in wholesale [https://freedom-to-tinker.com/2017/11/15/no-boundaries-exfiltration-of-personal-data-by-session-replay-scripts/ data exfiltration] (e.g., via form tracking and session replay scripts), to track the user's mouse movements, to trick the user into clicking malicious but ephemeral links (see [https://lcamtuf.blogspot.com/2010/08/on-designing-uis-for-non-robots.html this post] for related attacks), etc.


In addition, we have instituted several policies to ensure that user data is not leaked:
By contrast, when the payment process is handled by trusted, standardized code in a browser dialog window, the user's form input (credit card number, shipping address, etc.) is protected against many of these attacks.
 
In addition, we have instituted several policies to ensure that user data is not leaked to the merchant site:


* Firefox does not share the user's full shipping address until the user approves the payment at the very end of the in-browser workflow (see {{bug|1443735|Bug 1443735}}). Before then, Firefox shares only the minimum information (country and postal code) needed to determine shipping viability and cost.
* Firefox does not share the user's full shipping address until the user approves the payment at the very end of the in-browser workflow (see {{bug|1443735|Bug 1443735}}). Before then, Firefox shares only the minimum information (country and postal code) needed to determine shipping viability and cost.


* Although a merchant website could try to gather the user's country and postal code by calling the PaymentRequest.show() and .abort() functions in quick succession (see [https://lcamtuf.blogspot.com/2010/08/on-designing-uis-for-non-robots.html this post] for related attacks), to prevent abuse we have implemented a minimum amount of time (5 seconds) to display the payment dialog window, thus making it difficult for a website to trick a user into sharing this information (see {{bug|1447773|Bug 1447773}}).
* Although a merchant website could try to gather the user's country and postal code by calling the PaymentRequest.show() and .abort() functions in quick succession (even without the user noticing), to prevent abuse we have implemented a minimum amount of time (5 seconds) to display the payment dialog window, thus making it difficult for a website to trick a user into sharing this information (see {{bug|1447773|Bug 1447773}}).


== Device Fingerprinting ==
== Device Fingerprinting ==
Stpeter
58

edits

Retrieved from "https://wiki.allizom.org/Special:MobileDiff/1196363"

Navigation menu