[paymentrequest] Should the Payment Request API only be available in a top-level browsing context? (#30) from Ade Bateman on 2015-12-09 (public-payments-wg@w3.org from December 2015)

From: Ade Bateman <notifications@github.com>
Date: Wed, 09 Dec 2015 11:44:52 -0800
To: WICG/paymentrequest <paymentrequest@noreply.github.com>
Message-ID: <WICG/paymentrequest/issues/30@github.com>

This question has been raised as part of the discussion in issue #9.

The spec for the [`PaymentRequest` constructor](https://wicg.github.io/paymentrequest/specs/paymentrequest.html#paymentrequest-constructor) currently states that if the API is not called from a [top-level browsing context](http://www.w3.org/TR/html5/browsers.html#top-level-browsing-context) then a `SecurityError` should be thrown. The goal of this step is to avoid iframes with potentially untrusted content from making a payment request that the user perceives is actually coming from the top-level page. For example, a well-known publication web site that inadvertently includes a malicious ad.

The problem with this approach is that there are common scenarios where a site may host trusted third party content (e.g. games) in an iframe where the trusted content should be allowed to make a payment request.

One proposal here is to introduce an new attribute (e.g. `payment`) onto the iframe element that gives permission for content to make payment requests. Since this is provided by the containing page they get to decide whether they trust the content.

Another issue here is that an iframe may contain content from the same origin as the top-level browsing context. We should probably permit this call to be made and only block cross-origin payment requests.

---
Reply to this email directly or view it on GitHub:
https://github.com/WICG/paymentrequest/issues/30

Received on Wednesday, 9 December 2015 19:45:28 UTC