- From: Simon Pieters <notifications@github.com>
- Date: Mon, 05 Dec 2016 06:22:56 -0800
- To: w3c/browser-payment-api <browser-payment-api@noreply.github.com>
- Message-ID: <w3c/browser-payment-api/pull/359/review/11384354@github.com>
zcorpan requested changes on this pull request.
> @@ -343,8 +343,11 @@
<li>If the <a>browsing context</a> of the script calling the
constructor is a <a>nested browsing context</a> whose origin is
different from the <a>top-level browsing context</a>'s origin and the
- nested browsing context is not <a>allowed to make payment
- requests</a>, then <a>throw</a> a <a>SecurityError</a>.
+ nested <a>browsing context</a>'s <a>browsing context container</a> is
+ an <a><code>iframe</code></a> element whose <a>node document</a> is
So if it's not an `iframe` (e.g. it's `frame`/`object`/`embed`), it wouldn't throw. That's bad. Remove `iframe` check here I think.
> @@ -343,8 +343,11 @@
<li>If the <a>browsing context</a> of the script calling the
constructor is a <a>nested browsing context</a> whose origin is
I think this PR should be blocked on fixing these issues:
https://github.com/w3c/browser-payment-api/issues/324
https://github.com/w3c/browser-payment-api/issues/332
The whole paragraph doesn't any make sense right now and does not seem actually secure.
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/browser-payment-api/pull/359#pullrequestreview-11384354
Received on Monday, 5 December 2016 14:23:34 UTC