-
Notifications
You must be signed in to change notification settings - Fork 135
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
The origin restrictions in the PaymentRequest are not nearly strong enough #332
Comments
Why does that seem odd? On the contrary I would think it's odd if A had to give permission to call payment request to B as a way to let B embed a frame from A that can. Use case example: Merchant A embeds frames from B who is a third-party that manages their advertising across all properties. A wishes to give B the ability to show advertisements with "click-to-buy" functionality but doesn't want B to be able to invoke the payment API directly. |
Because it allows B to trigger payment requests from A by when A might not expect it to. Note that the proposed feature policy API has exactly the semantics I'm talking about: if a document doesn't have permission to do something, neither do any of its descendants. And I believe that having the payment permissions model be describable by feature policy is an explicit goal. So if it can't be, one or the other is wrong and needs to change. |
I disagree. Both contexts from origin A (the top-level and innermost contexts) can trigger payment requests but the other context (with origin B) cannot. |
The point is, it allows B to embed an A iframe and try to manipulate it in various ways (postMessage, URL structure, etc) to try to get it to trigger a payment request. If the inner iframe is written defensively enough this may be ok, but if it's not, you end up with a problem. |
Step 3 of the steps in https://w3c.github.io/browser-payment-api/#constructor (I see no way to link to the steps directly) says:
This has at least two problems (not counting the already-filed #324 and #323):
The text was updated successfully, but these errors were encountered: