session-flow: add session initiation/termination sections #17
Conversation
asurkov
changed the title
asurkov
force-pushed
the
incomingpayment
branch
from
ffa0267 to
195f2f6
Compare
| <dfn data-lt="wallet monetization restricted">Wallet monetization restricted</dfn> | ||
| given a |document:Document| and a [=wallet address=] |walletAddress:DOMString| | ||
| if the <a href="https://webmonetization.org/docs/references/csp-monetization-src/">`monetization-src`</a> directive | ||
| in the [=content security policy=] of the |document| restricts the |walletAddress|'s [=origin=]. |
There was a problem hiding this comment.
Q: If there are redirects from a non-restricted origin to a restricted one, are they allowed by CSP?
There was a problem hiding this comment.
good question, CSP should be applied to the final document I believe but which redirects do you refer specifically?
There was a problem hiding this comment.
Consider using wallet address: https://sidvishnoi.com/.well-known/pay. It redirects to a GateHub wallet. On my website (https://sidvishnoi.com), if add monetization-src: 'self' CSP, I would expect my wallet address to not be blocked, regardless of where it redirects to later on. Otherwise, I'd need to add GateHub to my CSP as well.
There was a problem hiding this comment.
There was a problem hiding this comment.
I get it. So there's nothing to change/tweak in wording here, right?
asurkov
force-pushed
the
incomingpayment
branch
from
195f2f6 to
ced93c0
Compare
asurkov
force-pushed
the
flow
branch
2 times, most recently
from
62f47de to
eab16dc
Compare
| <div class="algorithm"> | ||
| <p>To <dfn>initiate sessions scoped to</dfn> the |root:HTMLElement|, run these steps:</p> | ||
| <ol> | ||
| <li>Let |linkElements:NodeList| be all [^link^] elements with `rel="monetization"` that are descendants of |root|.</li> |
There was a problem hiding this comment.
Do we include disabled elements here? Or handle them in "initiate a session"?
Maybe we should have an algorithm "get link elements".
There was a problem hiding this comment.
it looks like initiate a session alg is the right place
not sure about specific "get link elements" alg because technically "initiate sessions scoped to" is that one
| Let |websiteWalletDetails:WalletAddressDetails?| be the result of [=send a wallet address request=] with |websiteWalletAddress|. | ||
| </li> | ||
| <li> | ||
| If |websiteWalletDetails| is null, fire an `error` event on |linkElement| and return. |
There was a problem hiding this comment.
At what stage CSP is handled? Will a CSP error also result in error event on linkElement?
There was a problem hiding this comment.
It's part of [=wallet monetization restricted=] of the "initiate a session" alg. Not quite sure if we should keep silent or send an error. Do you want me to send an issue on this one?
There was a problem hiding this comment.
Let's keep the same behavior as with other link tags.
There was a problem hiding this comment.
apparently it varies from browser to browser, it seems all are agree that error is reported in console such as "Content-Security-Policy: The page’s settings blocked a style (style-src-elem) at https://example.com/blocked.css from being applied because it violates the following directive: “style-src 'self'”, but nothing else in Firefox. Chromium fires error event. It's weird but apparently it's implementation dependent.
Do you think we should reflect that somehow in the spec?
There was a problem hiding this comment.
I'd rather file an interop bug and see what browsers agree on. But adding a note here would be good as well.
There was a problem hiding this comment.
I'd rather file an interop bug and see what browsers agree on. But adding a note here would be good as well.
right, do you know what's a typical procedure for this (cc'ing @lukewarlow )
|
Why closed? |
I merged the branch from command line since it UI was failing for me so closed this one |
No description provided.