@adrianhopebailie foresees some security issues with the way we are monitoring for dynamically injected meta tags.

Are there more details to this that can be captured in this issue so others know what the security issues are?

I have a suspicion that we are not immune from another extension modifying the Payment Pointers on a site before we process the tags.

This is an issue to track this discussion but @sublimator and I agreed we need some expert opinion from browsers on how to do SPA's safely

Essentially any 3rd party code, so currently the model is, 'beware of what scripts you pull in' as an integrator and 'be careful what extensions you install' as an end user. The store review/rating process can help with the latter, but of course ...

Another point worth capturing here is that even before the observation of meta tags change, there was seemingly no real way of knowing from a polyfill (extension or script injected) whether the tags were from an SSL served static html document.

And of course, it shares these issues with previous imperative donate(...) and monetize(...) apis.

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

If this issue is important, please feel free to bring it up on the next Interledger Community Group Call or in the Gitter chat.