Re: [w3c/payment-request] Disable Payment Request API in CSP/iframe sandbox (#698)

PaymentRequest should be disabled, by default, in any sandboxed frame, just by virtue of it being cross-origin to the main document. The only way around that would be with something like
```html
    <iframe sandbox="allow-same-origin allow-scripts" srcdoc="..."></iframe>
```
which would inherit the origin of the parent, and therefore *not* be cross-origin. That case should be treated like any other same-origin embed, practically, though. (The HTML spec [specifically warns against doing that](https://html.spec.whatwg.org/multipage/iframe-embed-object.html#attr-iframe-sandbox) and thinking that it's anything like actually being secure)

`allowpaymentrequest`, and the equivalent `payment` policy-controlled-feature will currently enable the API in any cross-origin frame, including a sandboxed one, but that is entirely at the control of the developer including the sandboxed page. I'm pretty confident that that is sufficient to stop any content that shouldn't be using the API from using it, while giving developers enough control to enable it in a sandbox if they need it turned on for any reason.


-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/payment-request/issues/698#issuecomment-378340767

Received on Tuesday, 3 April 2018 17:58:33 UTC