Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Block payment handler in iframes by default #281

Open
rsolomakhin opened this issue Apr 5, 2018 · 3 comments
Open

Block payment handler in iframes by default #281

rsolomakhin opened this issue Apr 5, 2018 · 3 comments

Comments

@rsolomakhin
Copy link
Collaborator

rsolomakhin commented Apr 5, 2018
edited

Similar to Payment Request, let's block Payment Handler APIs in cross-origin iframes by default. We can use Feature Policy to selectively enable it like so:

<iframe src="https://other.com/paymenthandler" allow="payment"></iframe>

The allow="payment" attribute also enables Payment Request.
@ianbjacobs
Copy link
Contributor

Hi @rsolomakhin,

Can you describe the use cases that motivate this? Thanks!

Ian

@rsolomakhin
Copy link
Collaborator Author

Suppose https://merchant.com includes an iframe from a 3rd party website to get some functionality that is not payment specific, like an interactive map with directions to their physical location.

<iframe src="https://maps.com/?lat=30&lng=40"></iframe>

A user would be very surprised if https://maps.com attempted to install a payment handler while the user was visiting https://merchant.com. Therefore, let's prohibit cross-origin iframes from installing payment handlers by default.

On the other hand, suppose https://merchant.com includes an iframe from a payment processor to improve their checkout process. Since this is a very forward-thinking PSP, it uses the W3C web payment standards. In this case, the merchant can explicitly allow this particular iframe to install a payment handler and/or invoke Payment Request.

<iframe src="https://psp.com/checkoutbutton.html" allow="payment"></iframe>

@ianbjacobs
Copy link
Contributor

@rsolomakhin,

"Since this is a very forward-thinking PSP, it uses the W3C web payment standards."

/me giggles

Thank you for the use case detail,
Ian

@rsolomakhin rsolomakhin mentioned this issue Apr 9, 2018
Closed
6 tasks
aarongable pushed a commit to chromium/chromium that referenced this issue Apr 13, 2018
@rsolomakhin
[Payment Handler] No cross-origin iframe install by default.
bba70ff 
Before this patch, any iframe could install a Payment Handler by calling
`paymentManager.instruments.set()`.

This patch checks for the feature policy "payment" before allowing any
operations on `paymentManager.instruments`.

After this patch, a cross-origin iframe will reject all operations on
`paymentManager.instruments` by default. The parent context can
explicitly allow the iframe to use the Payment Handler API through
feature policy. This can be accomplished via the iframe attribute
`allow="payment"`, for example. Note that the same feature policy
controls access to Payment Request API as well.

Discussion:
w3c/payment-handler#281

Spec change:
w3c/payment-handler#282

Payment Handlers are behind a flag:
chrome://flags/#service-worker-payment-apps

Manual test:
https://rsolomakhin.github.io/pr/apps/iframe/

Bug: 828948
Change-Id: I0259555692fa0b215d3700c233b3687724e665cb
Reviewed-on: https://chromium-review.googlesource.com/1005275
Commit-Queue: Rouslan Solomakhin <rouslan@chromium.org>
Reviewed-by: Ganggui Tang <gogerald@chromium.org>
Cr-Commit-Position: refs/heads/master@{#550629}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Cross-origin iframes and feature policy. rsolomakhin/payment-handler
2 participants
@rsolomakhin @ianbjacobs