- From: Ian Clelland <notifications@github.com>
- Date: Wed, 16 Sep 2020 13:34:28 -0700
- To: w3c/payment-request <payment-request@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Wednesday, 16 September 2020 20:34:44 UTC
@clelland commented on this pull request.
> @@ -594,6 +597,23 @@ <h3>
doPaymentRequest();
</pre>
</section>
+ <section>
+ <h2>
+ Using with cross-origin iframes
+ </h2>
+ <p>
+ To indicate that a cross-origin [^iframe^] is allowed to invoke the
+ payment request API, the [^iframe/allow^] attribute along with the
+ "payment" keyword can be specified on the [^iframe^] element.
+ </p>
+ <pre class="example html" title=
+ "Using Payment Request API with cross-origin iframes">
+ <iframe
+ src="https://cross-origing.example"
+ allow="payment">
`allow="payment *"` is the right replacement, yes. +1 to that change.
`allow="payment"` is shorthand for `allow="payment 'src'"`, which means roughly that the origin in the `src` attribute is granted permission, but if the iframe navigates away from that origin, it will be denied.
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/payment-request/pull/928#discussion_r489737905
Received on Wednesday, 16 September 2020 20:34:44 UTC