Skip to content

Commit

Permalink
Integrate with Feature Policy (#822)
Browse files Browse the repository at this point in the history
  • Loading branch information
@marcoscaceres
marcoscaceres committed Jan 29, 2019
1 parent da1bf5f commit 5966e82
Showing 1 changed file with 44 additions and 9 deletions.
53 changes: 44 additions & 9 deletions index.html
View file
Expand Up @@ -617,13 +617,11 @@ <h2>
act as follows:
</p>
<ol data-link-for="PaymentDetailsBase" class="algorithm">
<li data-tests=
"allowpaymentrequest/active-document-cross-origin.https.sub.html, allowpaymentrequest/active-document-same-origin.https.html, allowpaymentrequest/removing-allowpaymentrequest.https.sub.html, allowpaymentrequest/setting-allowpaymentrequest-timing.https.sub.html, allowpaymentrequest/setting-allowpaymentrequest.https.sub.html">
If the <a>current settings object</a>'s <a data-cite=
<li>If the <a>current settings object</a>'s <a data-cite=
"HTML#responsible-document">responsible document</a> is not
<a>allowed to use</a> the feature indicated by attribute name
<a>allowpaymentrequest</a>, then <a>throw</a> a
"<a>SecurityError</a>" <a>DOMException</a>.
<a>allowed to use</a> the "<a data-lt="payment-feature">payment</a>"
feature, then <a>throw</a> a "<a>SecurityError</a>"
<a>DOMException</a>.
</li>
<li>Let <var>serializedMethodData</var> be an empty list.
</li>
Expand Down Expand Up @@ -3475,12 +3473,49 @@ <h2>
<h2>
<code>PaymentRequest</code> and <code>iframe</code> elements
</h2>
<p data-tests=
"allowpaymentrequest/active-document-cross-origin.https.sub.html, allowpaymentrequest/active-document-same-origin.https.html, allowpaymentrequest/allowpaymentrequest-attribute-cross-origin-bc-containers.https.html, allowpaymentrequest/allowpaymentrequest-attribute-same-origin-bc-containers.https.html, allowpaymentrequest/basic.https.html, allowpaymentrequest/no-attribute-cross-origin-bc-containers.https.html, allowpaymentrequest/no-attribute-same-origin-bc-containers.https.html, allowpaymentrequest/removing-allowpaymentrequest.https.sub.html, allowpaymentrequest/setting-allowpaymentrequest-timing.https.sub.html, allowpaymentrequest/setting-allowpaymentrequest.https.sub.html">
<p>
To indicate that a cross-origin <a>iframe</a> is allowed to invoke the
payment request API, the <a>allowpaymentrequest</a> attribute can be
specified on the <a>iframe</a> element.
specified on the <a>iframe</a> element. See <a href=
"#feature-policy"></a> for details of how <a>allowpaymentrequest</a>
and <a data-cite="feature-policy">Feature Policy</a> interact.
</p>
</section>
<section id="feature-policy">
<h2>
Feature Policy integration
</h2>
<p>
This specification defines a policy-controlled feature identified by
the string "<code><dfn data-lt="payment-feature" data-nodefault=
"">payment</dfn></code>". Its <a href=
"feature-policy#default-allowlist">default allowlist</a> is
'<code>self</code>'.
</p>
<div class="note">
<p>
A <a data-cite="html#concept-document">document</a>’s <a data-cite=
"html/multipage/dom.html#concept-document-feature-policy">feature
policy</a> determines whether any content in that document is allowed
to construct <a>PaymentRequest</a> instances. If disabled in any
document, no content in the document will be <a>allowed to use</a>
the <a>PaymentRequest</a> constructor (trying to create an instance
will throw).
</p>
<p>
The <a>allowpaymentrequest</a> attribute of the HTML <a>iframe</a>
element affects the <a data-cite=
"feature-policy#container-policy">container policy</a> for any
document nested in that iframe. Unless overridden by the
<code><a data-cite=
"html/multipage/iframe-embed-object.html#attr-iframe-allow">allow</a></code>
attribute, setting <a>allowpaymentrequest</a> on an iframe is
equivalent to <code>&lt;iframe allow="fullscreen *"&gt;</code>, as
described in <a href=
"feature-policy#iframe-allowpaymentrequest-attribute">Feature Policy
§iframe-allowpaymentrequest-attribute</a>.
</p>
</div>
</section>
<section>
<h2>
Expand Down

0 comments on commit 5966e82

Please sign in to comment.