[w3c/browser-payment-api] Invoke "allowed to use" always (#383) from Simon Pieters on 2016-12-15 (public-webpayments-specs@w3.org from December 2016)

From: Simon Pieters <notifications@github.com>
Date: Thu, 15 Dec 2016 06:12:14 -0800
To: w3c/browser-payment-api <browser-payment-api@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3c/browser-payment-api/pull/383@github.com>

The old text was only invoking "allowed to use" for non-top-level
browsing contexts, which means the active document check is not
done for the top-level document case.

The old text was only invoking "allowed to use" if a document in
the chain of ancestor browsing contexts were not same origin,
but this does not match Chromium. Chromium will throw an exception
for PaymentRequest in an iframe even if it's same origin. It also
means that if everything *is* same origin, then the active document
check in "allowed to use" would not be called.

The use case for allowpaymentrequest must be to allow cross-origin
documents in iframes to make payments. Otherwise, if everything is
same-origin, the document could just construct top.PaymentRequest
to bypass any checks, or set the allowpaymentrequest attribute on
its frameElement.

Fixes #361.

The active document check in "allowed to use" was added in
https://github.com/whatwg/html/pull/2160.
You can view, comment on, or merge this pull request online at:

  https://github.com/w3c/browser-payment-api/pull/383

-- Commit Summary --

  * Invoke "allowed to use" always

-- File Changes --

    M index.html (38)

-- Patch Links --

https://github.com/w3c/browser-payment-api/pull/383.patch
https://github.com/w3c/browser-payment-api/pull/383.diff

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/browser-payment-api/pull/383

Received on Thursday, 15 December 2016 14:12:47 UTC