- From: Ade Bateman <notifications@github.com>
- Date: Wed, 09 Dec 2015 11:44:52 -0800
- To: WICG/paymentrequest <paymentrequest@noreply.github.com>
- Message-ID: <WICG/paymentrequest/issues/30@github.com>
This question has been raised as part of the discussion in issue #9. The spec for the [`PaymentRequest` constructor](https://wicg.github.io/paymentrequest/specs/paymentrequest.html#paymentrequest-constructor) currently states that if the API is not called from a [top-level browsing context](http://www.w3.org/TR/html5/browsers.html#top-level-browsing-context) then a `SecurityError` should be thrown. The goal of this step is to avoid iframes with potentially untrusted content from making a payment request that the user perceives is actually coming from the top-level page. For example, a well-known publication web site that inadvertently includes a malicious ad. The problem with this approach is that there are common scenarios where a site may host trusted third party content (e.g. games) in an iframe where the trusted content should be allowed to make a payment request. One proposal here is to introduce an new attribute (e.g. `payment`) onto the iframe element that gives permission for content to make payment requests. Since this is provided by the containing page they get to decide whether they trust the content. Another issue here is that an iframe may contain content from the same origin as the top-level browsing context. We should probably permit this call to be made and only block cross-origin payment requests. --- Reply to this email directly or view it on GitHub: https://github.com/WICG/paymentrequest/issues/30
Received on Wednesday, 9 December 2015 19:45:28 UTC