- From: Domenic Denicola <notifications@github.com>
- Date: Tue, 10 Dec 2019 13:10:44 -0800
- To: w3c/payment-request <payment-request@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <w3c/payment-request/pull/885/review/330146725@github.com>
domenic commented on this pull request.
> @@ -956,11 +956,13 @@ <h2>
follows:
</p>
<ol class="algorithm">
+ <li>Let |window:Window| be the [=relevant global object=] of the
+ [=environment settings object/responsible document=].
> Anyway, to finish this off, should I pull the relevant global from this or from the "payment-relevant browsing context"?
That's a great question, and really gets at some of the subleties here.
Per https://html.spec.whatwg.org/#activation-notification:
- Whenever an iframed Window is activated, its ancestor (payment-relevant browsing context's Window) will be activated too
- Whenever a payment-relevant browsing context is activated, its descendant will get activation, if its descendant is same-origin.
So the question for the spec editors is, do you want to allow clicking on the top-level Window to activate a PaymentRequest object that comes from a same-origin iframe? (You will never be able to allow clicking on the top-level Window to activate a PaymentRequest object that comes from a different-origin iframe, within the current framework.)
If you do, then checking the payment-relevant browsing context's WindowProxy's [[Window]] makes sense. If you don't, then checking the relevant global of this makes sense.
Personally I'd lean toward the more conservative option, but I'm unsure what folks have implemented, or what kind of workflows the PaymentRequest API hopes to support in this fashion.
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/payment-request/pull/885#discussion_r356278802
Received on Tuesday, 10 December 2019 21:10:46 UTC