[BUG] iframe allow="monetization"

[thejustinwalsh]

Describe the bug
When visiting sites that have content in an iframe with allow="monetization" set Akita does not track the payments being streamed, or that the page supports monitization.

To Reproduce
Steps to reproduce the behavior:

1. Go to 'https://gunnywatcher.itch.io/firsttest' or 'https://defold.itch.io/climberz'
2. Click on 'Run Game'
3. See absence of tracking

Expected behavior
Tracking of web monetization in iframes per:
https://webmonetization.org/docs/api/#iframes

Desktop (please complete the following information):

• Windows 10
• Brave Version 1.16.72 Chromium: 86.0.4240.183 (Official Build) (64-bit)

[sharon-wang]

Thanks for opening this bug @thejustinwalsh!

Looks like we missed this in the WM API docs. We'll need to check for iframes that include allow="monetization", and read the file indicated in src to see if a meta tag with monetization is specified. Then we'll need to listen for monetization events as appropriate and save the data.

I've added this issue into our upcoming milestone.

[vezwork]

Here's some docs on iframes that are relevant: https://www.w3schools.com/howto/howto_js_element_iframe.asp We can use this to get the monetization meta tag inside an iframe.

[vezwork]

Doing some research, here's what I've found.

What does the spec say about iframes?

There is a conflict between what the W3C Web Monetization Spec, webmonetization.org, and the Interledger rfcs say about monetization tags inside src pages of iframes. The W3C spec and the Interledger rfcs say (This line added to the rfcs on July 11 2019):

The Tags Set MUST be in the top level window (i.e. not inside an iframe)

But webmonetization.org says (this line added on April 22 2020):

You can monetize an iframe by adding monetization to the iframe's allow attribute

Going by the blame dates listed above in parentheses, the info that monetization tags inside src pages of iframes are allowed seems to be more up-to-date. However, confusingly, the interledger rfcs used to match webmonetization.org in iframes info, but were later updated to say iframes are not allowed.

Can I access the contents of an iframe using a content-script?

When I try to programmatically access the meta tag in the iframe on https://defold.itch.io/climberz by running document.getElementById('game_drop').contentWindow in the console I get the error Uncaught DOMException: Blocked a frame with origin "https://defold.itch.io" from accessing a cross-origin frame. So, it seems that accessing the contents of an iframe using Akita's content-script is not possible :(.

The Coil extension may work around this problem by getting the src attribute of iframes on a page using a content-script and then fetching them on the server-side, or it may fetch them using a background-script. After it is fetched, the content of iframe may be searched for the meta tag. This unfortunately seems to make handling monetization meta tags in iframes complex.

Going to try to see how they do it in the Coil Extension Source

[thejustinwalsh]

This appears to be the PR where iFrames are implemented in the coil extension
interledger/web-monetization-projects#415

[vezwork]

Thanks @thejustinwalsh !

I found what looks to be a solution to the problem of accessing iframe contents in this stackoverflow thread: https://stackoverflow.com/questions/11325415/access-iframe-content-from-a-chromes-extension-content-script.

It says that we can add a flag to our manifest which tells chrome to run our content script in iframes as well. Once we have a content script running in an iframe, we can then communicate with the top level page's content script (the page that contains the iframe) through our background script. This adds a bit of complexity but it's not too bad, I'm confident this should work!

[sharon-wang]

There is a conflict between what the W3C Web Monetization Spec, webmonetization.org, and the Interledger rfcs say about monetization in iframes. The W3C spec and the Interledger rfcs say (This line added to the rfcs on July 11 2019):

The Tags Set MUST be in the top level window (i.e. not inside an iframe)

But webmonetization.org says (this line added on April 22 2020):

You can monetize an iframe by adding monetization to the iframe's allow attribute

Going by the blame dates listed above in parentheses, monetized iframes being allowed seems to be the more up-to-date info. However, confusingly, the interledger rfcs used to match webmonetization.org in iframes info, but were later updated to say iframes are not allowed.

I think monetization with iframes was always allowed, but the form in which they can be monetized has evolved. I don't think there's a conflict between the specs, as iframes can be monetized, it's just that iframes themselves do not contain the monetization meta tag.

Previously, you could add a monetization meta tag within an iframe, but now the meta tag itself must only be set within the parent window of the iframe. If you want to monetize an iframe, you need to add allow="monetization" to the iframe and the iframe's src attribute must be a page that has a monetization meta tag in it, i.e.

 <iframe src = "/wm/example.htm" width = "600" height = "800" allow="monetization">

More examples of iframe monetization from the PR Justin linked: https://github.com/coilhq/web-monetization-projects/pull/415/files#diff-35ab4e71562e0cae7163e828dbb4369ee41eb76372b70fc9d282ff78ca6620da

[vezwork]

I've updated my comment above to make my use of language more clear. @sharon-wang and I discussed and we have decided that the webmonetization.org spec is the most up-to-date, and we will follow it over other specs. Based off the webmonetization.org spec, monetization tags inside src pages of iframes is allowed as long as the iframe has the allow="monetization" attribute.

@sharon-wang and I have decided on a simple design for tracking payments and time spent, taking into account iframes:

• Following the spec, only iframes with the allow="monetization" attribute will count as monetized, have their time tracked as monetized, and have their payments registered. If the iframe does not have this attribute, or the attribute is programmatically removed, the iframe will not be counted as being monetized.
• iframe monetization and time spent are tracked as part of the top-level page's AkitaOriginData. i.e. if an iframe is monetized then the top-level page containing the iframe will be considered monetized, and any time spent at that page will be considered monetized time for the page's origin.
• A new field called iframeSrcOrigin will be added to AkitaPaymentPointerData to keep track of the origin of payment pointers inside of iframes. (actually not necessary right now, this may be not be added)

In summary, users only care about whether time spent at an origin is monetized or not. As such, iframes contribute to the top-level page's decision on whether the page's origin is currently monetized or not. Additionally, if users with a provider send payments to a payment pointer in an iframe, this is tracked using the iframeSrcOrigin field.

[vezwork]

@thejustinwalsh this is fixed! Let us know if you have any troubles or comments! :)

[thejustinwalsh]

Awesome, pulling and updating now! Amazing work!

[thejustinwalsh]

Working like a charm! Thanks again!