Re: [w3c/browser-payment-api] Invoke "allowed to use" always (#383) from Boris Zbarsky on 2016-12-15 (public-webpayments-specs@w3.org from December 2016)

From: Boris Zbarsky <notifications@github.com>
Date: Thu, 15 Dec 2016 07:48:31 -0800
To: w3c/browser-payment-api <browser-payment-api@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3c/browser-payment-api/pull/383/c267361383@github.com>

The feature policy behavior for fullscreen and paymentrequest can easily differ, if they have different default feature policies.

In particular, I think the intent in feature policy is that the behavior HTML defines in "allowed to use" corresponds to a default feature policy of [] in non-toplevel browsing contexts.  The behavior @rsolomakhin wants corresponds to a default whitelist of "self".  Or at least that's the idea; the algorithms in the feature policy explainer don't quite do this right yet, but the intent is to be able to define both behaviors in terms of feature policy.

Note that for purposes of this discussion "same-origin iframe" means "same-origin with its parent", not with toplevel.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/browser-payment-api/pull/383#issuecomment-267361383

Received on Thursday, 15 December 2016 15:49:35 UTC