Skip to main content

Securing Online Transactions with the Permissions-Policy Payment Directive

The Permissions-Policy directive (formerly known as Feature-Policy) is a key security mechanism that allows website owners to control which browser features and APIs their site can access.

One of the more sensitive directives within this policy is the "payment" directive, which controls access to the Payment Request API. This API enables web applications to facilitate seamless, secure payments from users by directly accessing payment methods stored in the browser or device, such as credit cards or digital wallets. While convenient, allowing unrestricted access to the Payment Request API introduces privacy and security risks that need careful management.

History and Origin of Permissions-Policy

The Permissions-Policy header was introduced by Google in 2018 under the original name Feature-Policy. The purpose of this header was to give web developers more granular control over the powerful browser features and APIs their websites could access. As web applications increasingly rely on APIs that can interact with device hardware and user data, the need for stricter controls became clear to mitigate the risk of these powerful features being abused, especially by embedded third-party content or compromised websites.

The payment directive was added to address the specific risks associated with the Payment Request API. This API was developed by the World Wide Web Consortium (W3C) to streamline and secure the online payment process by allowing websites to request payment details directly from the browser. However, the Payment Request API’s power to access sensitive financial information—such as credit card numbers or other stored payment methods—also creates the potential for misuse. The payment directive ensures that only trusted parts of the website can access this API, preventing unauthorised access to sensitive financial data.

What Does the Payment Directive Do?

The "payment" directive in the Permissions-Policy header allows website owners to control whether a web page or any embedded content can access the Payment Request API. This API is designed to make the checkout process smoother for users by accessing payment methods stored in their browser or device, facilitating payments without the need to manually enter card details.

For example:

  • Setting payment=() blocks access to the Payment Request API entirely, preventing both the website and any embedded content from initiating payment requests.
  • Setting payment=* allows full access to the Payment Request API for all content on the page, including third-party iframes or scripts, which is generally not advisable without thorough oversight.

This control is critical, as unrestricted access to the Payment Request API could expose users to security risks, including unauthorised payments or the misuse of stored payment methods.

Why Was It Added?

The payment directive was introduced to address several key privacy and security concerns:

  1. Preventing Unauthorised Payments: The Payment Request API has the capability to trigger payment dialogs and interact with sensitive payment data. Without proper restrictions, a compromised website or malicious third-party script could exploit this API to initiate unauthorised payments or collect payment details from users without their knowledge. The payment directive allows developers to restrict access to this API, ensuring that only trusted content can request payment data.

  2. Securing User Financial Information: Payment details are some of the most sensitive personal data that users can provide online. Any vulnerability in how these details are handled could lead to financial theft or fraud. By controlling access to the Payment Request API, the payment directive helps ensure that sensitive financial information is handled securely, minimising the risk of data breaches or misuse.

  3. Reducing the Risk of Phishing and Fraud: The ability to trigger payment dialogs opens the door for potential phishing attacks, where malicious websites could mimic legitimate payment forms to deceive users into providing their payment details. The payment directive ensures that only authorised, trusted elements of the website can use the Payment Request API, reducing the risk of such fraudulent attacks.

Use Cases It Guards Against

The payment directive is particularly effective at guarding against several problematic use cases:

  1. Unauthorised Third-Party Payments: Websites often embed third-party content such as advertisements or social media plugins, which may request access to APIs like the Payment Request API. If not properly restricted, these third-party elements could initiate payment requests without the user’s consent, leading to unauthorised transactions. The payment directive allows developers to prevent untrusted third-party scripts from accessing the Payment Request API.

  2. Phishing Attacks and Deceptive Payment Interfaces: Malicious actors could use the Payment Request API to create deceptive payment dialogs that appear legitimate. By restricting access to the Payment Request API, developers can reduce the likelihood of users being tricked by fraudulent payment prompts, protecting them from phishing attempts.

  3. Data Theft via Compromised Websites: In the event that a website is compromised, malicious actors could exploit the Payment Request API to access stored payment information or trick users into initiating payments. By controlling which parts of the website can use the Payment Request API, the payment directive helps minimise the damage that could be caused by such breaches.

  4. Inadvertent Privacy Violations: Even well-intentioned websites could inadvertently expose users to privacy risks if they allow embedded third-party content to request payment information. The payment directive ensures that only the necessary and authorised parts of the website can trigger payment requests, reducing the risk of unintentional privacy violations.

Why Should You Set Permissions-Policy Payment Correctly?

There are several compelling reasons why website owners should ensure the payment directive is configured properly:

  1. Protecting User Financial Data: Payment information is one of the most sensitive forms of personal data, and mishandling it can have severe consequences, including financial fraud and identity theft. By setting the payment directive to restrict access to the Payment Request API, website owners can protect users from having their financial information misused or stolen.

  2. Preventing Unauthorised Payments: The Payment Request API’s ability to initiate payments makes it a potential target for malicious actors. If improperly managed, it could be exploited to make unauthorised purchases or siphon funds from user accounts. Properly configuring the payment directive ensures that only trusted content can request payment information, significantly reducing the risk of fraudulent transactions.

  3. Complying with Privacy and Security Regulations: As regulations like the GDPR and PCI DSS (Payment Card Industry Data Security Standard) become more stringent, website owners are legally required to protect sensitive financial data. Misconfiguring the Payment Request API could lead to non-compliance with these regulations, resulting in hefty fines and legal penalties. Setting the payment directive correctly helps ensure compliance with these data protection standards.

  4. Building User Trust: Users are becoming more cautious about how their financial data is handled online, and they expect websites to take security seriously. Websites that implement strong controls over sensitive APIs, such as the Payment Request API, are more likely to build trust with users, encouraging them to complete transactions and return to the site in the future.

  5. Reducing the Attack Surface: Following the principle of least privilege, websites should only grant access to features that are strictly necessary. By restricting access to the Payment Request API through the payment directive, website owners can reduce the attack surface available to malicious actors, making the site more secure and resilient to potential threats.

Conclusion: Securing Online Payments with the Payment Directive

The Permissions-Policy payment directive is a critical tool for managing access to the Payment Request API, which allows websites to handle sensitive financial data and facilitate online payments. While this API offers significant benefits in terms of streamlining the payment process, it also introduces substantial risks if left unrestricted. By properly configuring the payment directive, website owners can protect users from unauthorised payments, phishing attacks, and data breaches.

In a world where online transactions are increasingly common, ensuring that the payment directive is set correctly is an essential step for safeguarding user trust, protecting financial data, and complying with privacy regulations. A secure, well-configured payment system is not only a necessity for reducing security risks but also a key factor in building a trustworthy and reliable online presence.

Related to this article are the following:

At SoftForge, we are passionate about delivering top-notch web hosting and development services that empower businesses to thrive online. Since our inception, we have been committed to innovation, quality, and customer satisfaction. Our journey is defined by our continuous pursuit of excellence and our desire to stay at the forefront of the digital industry.

From the initial concept to the final execution, we work closely with you to ensure that every aspect of your online presence is tailored to reflect your brand's identity, resonate with your target market, and support your long-term objectives. Together, we can build a digital platform that not only meets but exceeds expectations, turning your vision into a successful reality that drives growth and innovation.

Feel free to use the links below to reach out, discuss your needs, or to schedule a Google meeting with Stacey or Phil.

Contact SoftForge
Book a meeting with Phil
Book a meeting with Stacey