>
> Would it be a terrible idea to amend BIP 70 to suggest implementors
> include a "Access-Control-Allow-Origin: *" response header for their
> payment request responses? I don't think this opens up any useful attack
> vectors.
>

It sounds OK to me, although we should all sleep on it for a bit. The
reason this header exists is exactly because mobile code fetching random
web resources can result in surprising security holes.

For this to be useful, someone would have to actually want to fully
implement the payment protocol (with its own root cert store, ASN.1
parsing, RSA etc) in browser-sandboxed Javascript rather than just
providing a real app for people to download.

Is that really going to be popular, though? I think it's unclear.