- From: Adrian Bateman <adrianba@microsoft.com>
- Date: Fri, 7 Oct 2016 18:14:16 +0000
- To: Mike O'Neill <michael.oneill@baycloud.com>, 'Ian Jacobs' <ij@w3.org>, "public-privacy@w3.org" <public-privacy@w3.org>
- CC: 'Adam Roach' <abr@mozilla.com>, "'Telford-Reed, Nick'" <Nick.Telford-Reed@worldpay.com>, 'Adrian Hope-Bailie' <adrian@ripple.com>
> On Fri, Oct 07, 2016 at 06:42:59, Mike O'Neill wrote: > I wonder if the "allowpaymentrequest" attribute on an iframe is > sufficient to stop rogue script dynamically creating iframes which > present bogus payment requests to the user. Maybe a CSP directive would > work here, or at least block payment requests from iframes when the top > level context is not secure. iframes for which the top level context is not secure are not Secure Contexts and so the PaymentRequest API isn't available.
Received on Friday, 7 October 2016 18:15:14 UTC