Re: [w3c/browser-payment-api] Should the Payment Request API only be available in a top-level browsing context? (#2) from adamroach on 2016-06-24 (public-webpayments-specs@w3.org from June 2016)

From: adamroach <notifications@github.com>
Date: Fri, 24 Jun 2016 14:12:35 -0700
To: w3c/browser-payment-api <browser-payment-api@noreply.github.com>
Cc: webpayments-specs <public-webpayments-specs@w3.org>, Comment <comment@noreply.github.com>
Message-ID: <w3c/browser-payment-api/issues/2/228463359@github.com>

I finally cornered one of our security people on this. He points out that the kind of thing we're trying to do is congruent with the [delegated permissions work currently underway](https://noncombatant.github.io/permission-delegation-api/).

I propose we adopt this approach, which allows both declarative and imperative delegation of extra permissions to iframes.

Declaratively:
```html
<iframe src="..." permissions="payment">
```

Imperatively:
```javascript
var iframe = document.getElementById('payment_frame');
navigator.permissions.delegate({embedee: iframe, name: 'geolocation'}).then(
  function() {
    // Delegation succeeded.
  }).catch(function() {
    // Delegation failed.
  });
```

In particular, we beleive that using the ```sandbox``` attribute for this purpose, [as was discussed last month](https://www.w3.org/2016/05/12-wpwg-minutes.html#item08), is the wrong tool for this job, as it removes capabilities, rather than adding them.

---
You are receiving this because you commented.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/browser-payment-api/issues/2#issuecomment-228463359

Received on Friday, 24 June 2016 21:13:42 UTC