RE: Seeking feedback on "user consent" text in Web Payments Working Group specification

> On Fri, Oct 07, 2016 at 06:42:59, Mike O'Neill wrote:
> I wonder if the "allowpaymentrequest" attribute on an iframe is
> sufficient to stop rogue script dynamically creating iframes which
> present bogus payment requests to the user. Maybe a CSP directive would
> work here, or at least block payment requests from iframes when the top
> level context is not secure.

iframes for which the top level context is not secure are not Secure Contexts
and so the PaymentRequest API isn't available.

Received on Friday, 7 October 2016 18:15:14 UTC