Before this patch, a Content Security Policy (CSP) violation in payment
method identifier would be counted, but there was no way to enforce CSP.
This patch adds a chrome://flags/#web-payment-api-csp flag that enables
enforcing the CSP connect-src directive for payment method identifiers.
After this patch, if chrome://flags/#web-payment-api-csp is set to
"Enabled", then a CSP violation in payment method identifier will print
a "refused to connect" error message and PaymentRequest constructor will
throw a RangeError. (Not in this patch: handling redirects, e.g., from
https://host.com/pay to https://pay.host.com/.)
Intent to prototype:
https://groups.google.com/a/chromium.org/g/blink-dev/c/jklZJYcOVyg/m/Gfwa4QQBAwAJ
Bug: 1349091
Change-Id: I2df9bf8a0e207f06dc674b53263b219803c3a5ff
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3805640
Commit-Queue: Rouslan Solomakhin <rouslan@chromium.org>
Reviewed-by: Daniel Bratell <bratell.d@gmail.com>
Reviewed-by: Arthur Sonzogni <arthursonzogni@chromium.org>
Reviewed-by: Stephen McGruer <smcgruer@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1032997}