[Webkit-unassigned] [Bug 226345] New: Support Apple Pay in cross-origin iframes with allow=payment attribute

Thu May 27 10:40:29 PDT 2021

https://bugs.webkit.org/show_bug.cgi?id=226345

            Bug ID: 226345
           Summary: Support Apple Pay in cross-origin iframes with
                    allow=payment attribute
           Product: WebKit
           Version: Safari 14
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: WebCore JavaScript
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: bradg at dropbox.com

Web pages that use a third party payment vendor for a checkout flow may integrate the vendor in a cross-origin iframe to prevent the vendor from accessing non-payment data on the top level/main origin. However, this integration does not allow using Apple Pay due to this error: https://github.com/WebKit/WebKit/blob/Safari-612.1.11/Source/WebCore/Modules/applepay/PaymentSession.cpp#L63

The Payment Request spec supports this use case by allowing the top level/main origin to delegate payments permission to an iframe using the allow attribute: https://www.w3.org/TR/payment-request/#using-with-cross-origin-iframes. This opt-in mechanism prevents abuse by untrusted iframes because the top origin determines which of its children it intends to provide payments.

Safari/WebKit should support this attribute/use case in the Payment Request and Apple Pay APIs.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20210527/9d0b6eae/attachment-0001.htm>