New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Block payment handler in iframes by default #281
Comments
Hi @rsolomakhin, Can you describe the use cases that motivate this? Thanks! Ian |
Suppose <iframe src="https://maps.com/?lat=30&lng=40"></iframe> A user would be very surprised if On the other hand, suppose <iframe src="https://psp.com/checkoutbutton.html" allow="payment"></iframe> |
"Since this is a very forward-thinking PSP, it uses the W3C web payment standards." /me giggles Thank you for the use case detail, |
Before this patch, any iframe could install a Payment Handler by calling `paymentManager.instruments.set()`. This patch checks for the feature policy "payment" before allowing any operations on `paymentManager.instruments`. After this patch, a cross-origin iframe will reject all operations on `paymentManager.instruments` by default. The parent context can explicitly allow the iframe to use the Payment Handler API through feature policy. This can be accomplished via the iframe attribute `allow="payment"`, for example. Note that the same feature policy controls access to Payment Request API as well. Discussion: w3c/payment-handler#281 Spec change: w3c/payment-handler#282 Payment Handlers are behind a flag: chrome://flags/#service-worker-payment-apps Manual test: https://rsolomakhin.github.io/pr/apps/iframe/ Bug: 828948 Change-Id: I0259555692fa0b215d3700c233b3687724e665cb Reviewed-on: https://chromium-review.googlesource.com/1005275 Commit-Queue: Rouslan Solomakhin <rouslan@chromium.org> Reviewed-by: Ganggui Tang <gogerald@chromium.org> Cr-Commit-Position: refs/heads/master@{#550629}
Similar to Payment Request, let's block Payment Handler APIs in cross-origin iframes by default. We can use Feature Policy to selectively enable it like so:
The
allow="payment"
attribute also enables Payment Request.The text was updated successfully, but these errors were encountered: