- From: Adrian Hope-Bailie <notifications@github.com>
- Date: Thu, 01 Dec 2016 00:18:24 -0800
- To: w3c/browser-payment-api <browser-payment-api@noreply.github.com>
Received on Thursday, 1 December 2016 08:18:58 UTC
> Consider the case when our toplevel origin is A, which loads a subframe from origin B, which loads a subframe from origin A. This innermost frame would be allowed to make payment requests, as the spec is currently written, even if the B subframe is not. That seems very odd to me. Why does that seem odd? On the contrary I would think it's odd if A had to give permission to call payment request to B as a way to let B embed a frame from A that can. Use case example: Merchant A embeds frames from B who is a third-party that manages their advertising across all properties. A wishes to give B the ability to show advertisements with "click-to-buy" functionality but doesn't want B to be able to invoke the payment API directly. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/w3c/browser-payment-api/issues/332#issuecomment-264106851
Received on Thursday, 1 December 2016 08:18:58 UTC