Intent to deprecate and remove: connect-src CSP bypass in Web Payment API

Skip to first unread message

Rouslan Solomakhin

Sep 21, 2022, 1:30:49 PM9/21/22
to blink-dev

Contact emails



Deprecate the ability for Web Payment API to bypass the connect-src CSP policy when fetching the manifest. After this deprecation, a site's connect-src CSP policy will need to allow for the payment method URL specified in a PaymentRequest call, as well as any other URLs that the method chains to fetch its manifest.

Blink component



Content Security Policy (CSP) directives enable a site to detect and mitigate various forms of attacks including Cross-Site Scripting, data injection, and data theft. Specifically, the connect-src[0] directive limits which URLs can be loaded via various script interfaces. Web-based PaymentHandlers are loaded by specifying a URL to the PaymentRequest API, which the browser then uses to fetch a manifest file for the PaymentHandler. This fetching (of various URLs along the way[1]) does not currently obey connect-src within Chrome and so could be used as a data exfiltration method. For example, injected script on could specify a (invalid) payment method of, where 'foobar' is some secret stolen from To defeat such an attack, we intend to make PaymentHandler requests fall under the purview of the connect-src CSP policy. This may require action from both PaymentHandler apps and the sites (merchants) that use them. The PaymentHandler app will have to determine all URLs that its app may rely on (e.g., including redirects and the multiple manifest files) and publish this list somewhere. Sites (merchants) using PaymentRequest will have to make sure that if they have a connect-src CSP, it allows for the payment app that they want. [0]: [1]:

TAG review status

Not applicable


Interoperability and Compatibility

Gecko: N/A. Does not implement or ship PaymentHandler.
WebKit: N/A. Does not implement or ship PaymentHandler.
Web developers: No signals.
Other signals: No signals.

WebView application risks

None: PaymentHanlders are not supported in WebView.


CSP violations print console error messages.

Is this feature fully tested by web-platform-tests?


Flag name


Requires code in //chrome?


Tracking bug

Launch bug

Estimated milestones

Print a deprecation warning in developer console: 108-110
Remove CSP bypass: 111
Reverse origin trial if necessary for anyone to opt out: 111-113.

Link to entry on the Chrome Platform Status

Links to previous Intent discussions

Intent to prototype.
Intent to experiment.

This intent message was generated by Chrome Platform Status.

Yoav Weiss

Sep 22, 2022, 1:47:55 AM9/22/22
to Rouslan Solomakhin, blink-dev

You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
To view this discussion on the web visit

mkwst via Chromestatus

Sep 26, 2022, 3:01:18 AM9/26/22

Rouslan Solomakhin

Sep 27, 2022, 10:34:30 AM9/27/22
to blink-dev

Are there remaining questions for me to answer? (Or maybe the tools are not picking up this intent everywhere...) -- waiting on the last LG 😆


On Monday, September 26, 2022 at 3:01:18 AM UTC-4 mkwst via Chromestatus wrote:

Mike Taylor

Sep 27, 2022, 12:51:36 PM9/27/22
to Rouslan Solomakhin, blink-dev

You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
Reply all
Reply to author
0 new messages