- From: Ian Clelland <notifications@github.com>
- Date: Mon, 07 May 2018 14:15:57 +0000 (UTC)
- To: w3c/payment-request <payment-request@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Monday, 7 May 2018 14:16:24 UTC
After re-reading all of the comments in this thread, I think I see the issue more clearly. This isn't about iframe sandboxing at all -- that works exactly as intended, as @devd points out. This comes up when the top-level document has sandboxed *itself* through the CSP `sandbox` directive. In that case, the browser's default policy is to allow the API in the main frame. For now, this can be mitigated by also using the header ```http Feature-Policy: payment 'none' ``` but perhaps sandboxed main frames *should* have features like this disabled by default. I don't think it should be a behavior specific to this API, but possibly to [Feature Policy](https://github.com/wicg/feature-policy) generally, for any features which are disabled in cross-origin frames by default. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/w3c/payment-request/issues/698#issuecomment-387078727
Received on Monday, 7 May 2018 14:16:24 UTC