Re: [w3c/payment-request] Allow user activation to be delegated to a child frame to trigger request.show() (#917) from Mustaq Ahmed on 2020-07-22 (public-webpayments-specs@w3.org from July 2020)

From: Mustaq Ahmed <notifications@github.com>
Date: Wed, 22 Jul 2020 13:47:16 -0700
To: w3c/payment-request <payment-request@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3c/payment-request/issues/917/662687841@github.com>

I think we would need to pass on a time-limited "webpayment token" after a user click anyways, through a `postMessage()` or whatever means.

This is because an iframe attribute (similarly a permissions/feature policy) is static in nature, and independent from the timing of a user interaction.  Without a time limited token, an iframe attribute could allow the iframe to `.show()` in only two possible ways: either without a user activation at all (aka, always), or with a user click in the iframe.  And none of them are okay for this problem.  Hopefully I didn't miss anything.


-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/payment-request/issues/917#issuecomment-662687841

Received on Wednesday, 22 July 2020 20:47:28 UTC