Re: [w3c/payment-request] Deprecate allowpaymentrequest attribute (#928) from Marcos Cáceres on 2020-09-17 (public-webpayments-specs@w3.org from September 2020)

From: Marcos Cáceres <notifications@github.com>
Date: Wed, 16 Sep 2020 19:14:38 -0700
To: w3c/payment-request <payment-request@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3c/payment-request/pull/928/review/490196417@github.com>

@marcoscaceres commented on this pull request.



> @@ -594,6 +597,23 @@ <h3>
           doPaymentRequest();
         </pre>
       </section>
+      <section>
+        <h2>
+          Using with cross-origin iframes
+        </h2>
+        <p>
+          To indicate that a cross-origin [^iframe^] is allowed to invoke the
+          payment request API, the [^iframe/allow^] attribute along with the
+          "payment" keyword can be specified on the [^iframe^] element.
+        </p>
+        <pre class="example html" title=
+        "Using Payment Request API with cross-origin iframes">
+            &lt;iframe
+              src="https://cross-origing.example"
+              allow="payment"&gt;

ok, good catch. I might add both to the example, just to make sure it's clear which to use in situations where the iframe will be navigated to multiple origins. I think `allow="payment"` should be preferred in most cases, as `allow="payment *"` might be overly generous. 

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/payment-request/pull/928#discussion_r489883891

Received on Thursday, 17 September 2020 02:14:50 UTC