- From: Danyao Wang <notifications@github.com>
- Date: Wed, 16 Sep 2020 13:11:57 -0700
- To: w3c/payment-request <payment-request@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <w3c/payment-request/pull/928/review/489984396@github.com>
@danyao requested changes on this pull request.
Sorry for missing this bit of detail yesterday. I think we need to recommend `allow="payment *"` instead of `allow="payment"` as the replacement for `allowpaymentrequest`.
> @@ -594,6 +597,23 @@ <h3>
doPaymentRequest();
</pre>
</section>
+ <section>
+ <h2>
+ Using with cross-origin iframes
+ </h2>
+ <p>
+ To indicate that a cross-origin [^iframe^] is allowed to invoke the
+ payment request API, the [^iframe/allow^] attribute along with the
+ "payment" keyword can be specified on the [^iframe^] element.
+ </p>
+ <pre class="example html" title=
+ "Using Payment Request API with cross-origin iframes">
+ <iframe
+ src="https://cross-origing.example"
+ allow="payment">
It was pointed out to me on https://bugs.chromium.org/p/chromium/issues/detail?id=1127988#c2 that the equivalent of `allowpaymentrequest` is actually `allow="payment *"`.
If I'm reading the [Permissions Policy spec][1] correctly, `allow="payment"` (without the *) only enables Payment Request API in same-origin iframes. @clelland to confirm.
[1]: https://w3c.github.io/webappsec-permissions-policy/#allowlists
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/payment-request/pull/928#pullrequestreview-489984396
Received on Wednesday, 16 September 2020 20:12:11 UTC