Firefox/Features/Web Payments/Privacy & Security Considerations: Difference between revisions

Firefox/Features/Web Payments/Privacy & Security Considerations (view source)

171 bytes added , 27 June 2018

58

edits

@@ Line 74: / Line 74: @@
 As part of the Payment Request API, the merchant website can provide certain untrusted strings to the browser; these include:
-* PaymentItem label values (e.g., products in a shopping cart)
+* [https://www.w3.org/TR/payment-request/#dom-paymentitem-label PaymentItem labels] (e.g., products in a shopping cart)
-* The web origin of the merchant website (which could include mixed scripts, bidirectional domain labels, confusable characters, etc.)
+* The [https://tools.ietf.org/html/rfc6454 web origin] of the merchant website (which could include mixed scripts, bidirectional domain labels, confusable characters, etc.)
-* Error strings, especially generic error message
+* [https://www.w3.org/TR/payment-request/#dom-paymentdetailsupdate-error Error strings], especially the generic error message
 Firefox should validate and sanitize all untrusted strings, for instance by limiting their display length (e.g., truncate to 64 bytes or fewer, as is done for relying party names in the [https://developer.mozilla.org/en-US/docs/Web/API/Web_Authentication_API Web Authentication API]), always using UI elements to provide a clear boundary around these strings, not allowing these UI elements to overflow into other elements, etc.