Re: [w3c/payment-request] Editorial: relationship to Feature Policy spec (#822) from Ian Clelland on 2019-01-15 (public-webpayments-specs@w3.org from January 2019)

From: Ian Clelland <notifications@github.com>
Date: Tue, 15 Jan 2019 11:29:40 -0800
To: w3c/payment-request <payment-request@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3c/payment-request/pull/822/review/192819293@github.com>

clelland commented on this pull request.



>        </h2>
-      <p data-tests=
-      "allowpaymentrequest/active-document-cross-origin.https.sub.html, allowpaymentrequest/active-document-same-origin.https.html, allowpaymentrequest/allowpaymentrequest-attribute-cross-origin-bc-containers.https.html, allowpaymentrequest/allowpaymentrequest-attribute-same-origin-bc-containers.https.html, allowpaymentrequest/basic.https.html, allowpaymentrequest/no-attribute-cross-origin-bc-containers.https.html, allowpaymentrequest/no-attribute-same-origin-bc-containers.https.html, allowpaymentrequest/removing-allowpaymentrequest.https.sub.html, allowpaymentrequest/setting-allowpaymentrequest-timing.https.sub.html, allowpaymentrequest/setting-allowpaymentrequest.https.sub.html">
-        To indicate that a cross-origin <a>iframe</a> is allowed to invoke the
-        payment request API, the <a>allowpaymentrequest</a> attribute can be
-        specified on the <a>iframe</a> element.
+      <p>
+        The <a data-cite="feature-policy">Feature Policy</a> specification
+        defines the "<code>payment</code>" feature and the <code><dfn data-cit=

This spec should probably define the actual feature -- similarly to https://html.spec.whatwg.org/#policy-controlled-features or https://fullscreen.spec.whatwg.org/#feature-policy-integration, it's just a matter of declaring the feature name and the default allowlist ('self' in this case)

And, as @annevk mentioned, the allowpaymentrequest attribute is defined in HTML.

The note in the fullscreen spec is actually a pretty good fit for the situation here. `allowfullscreen` affects the container policy, unless overridden by `allow`.

> @@ -635,14 +635,6 @@ <h2>
           act as follows:
         </p>
         <ol data-link-for="PaymentDetailsBase" class="algorithm">
-          <li data-tests=
-          "allowpaymentrequest/active-document-cross-origin.https.sub.html, allowpaymentrequest/active-document-same-origin.https.html, allowpaymentrequest/removing-allowpaymentrequest.https.sub.html, allowpaymentrequest/setting-allowpaymentrequest-timing.https.sub.html, allowpaymentrequest/setting-allowpaymentrequest.https.sub.html">
-          If the <a>current settings object</a>'s <a data-cite=

Agreed. I'm removing anything that even smells like it might be normative for some other spec from that document.

This step here can be reinstated, just changed to use the phrasing "If the current settings object's responsible document is not allowed to use the 'payment' feature ... ", and link "payment" to the definition of the `payment` feature elsewhere in this doc (similarly to https://fullscreen.spec.whatwg.org/#feature-policy-integration)

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/payment-request/pull/822#pullrequestreview-192819293

Received on Tuesday, 15 January 2019 19:30:02 UTC