- From: Marcos Cáceres <notifications@github.com>
- Date: Tue, 10 Dec 2019 18:10:11 -0800
- To: w3c/payment-request <payment-request@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <w3c/payment-request/pull/885/review/330262007@github.com>
marcoscaceres commented on this pull request.
> @@ -956,11 +956,13 @@ <h2>
follows:
</p>
<ol class="algorithm">
+ <li>Let |window:Window| be the [=relevant global object=] of the
+ [=environment settings object/responsible document=].
Ok, Stripe depends on clicking within the iframe - so we are good there.
> So the question for the spec editors is, do you want to allow clicking on the top-level Window to activate a PaymentRequest object that comes from a same-origin iframe?
I don't think we do. The activated window should be the one where `request.show()` is called.
For the clarity of those watching at home:
```HTML
<button>pay</button>
<iframe src="same-origin.html" hidden>
<!-- this iframe won't activate the payment request. -->
</iframe>
```
This will never ever work, which is fine:
```HTML
<button>pay</button>
<iframe allowpaymentrequest src="https://cross.origin/" hidden>
</iframe>
```
This will work:
```HTML
<iframe src="same-origin.html">
<!-- something in iframe is clicked/activated, payment request works -->
</iframe>
<iframe allowpaymentrequest src="https://cross.origin/" hidden>
</iframe>
```
> Personally I'd lean toward the more conservative option, but I'm unsure what folks have implemented, or what kind of workflows the PaymentRequest API hopes to support in this fashion.
I agree. Let's go with that... or **this** 😂.
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/payment-request/pull/885#discussion_r356373106
Received on Wednesday, 11 December 2019 02:10:14 UTC