[Webkit-unassigned] [Bug 229406] Add "payment" permissions policy
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Fri Oct 1 17:57:07 PDT 2021
https://bugs.webkit.org/show_bug.cgi?id=229406
--- Comment #16 from Brad <bradg at dropbox.com> ---
Sure is there an update from them? I reopened the other ticket.
>From the developer perspective, it makes it difficult to build a safe Apple Pay integration when using third party vendors, which need to be trusted to process payments but not to receive access to sensitive user data and cookies on the top level origin.
This top level origin restriction made sense from a security perspective before the "payment" permissions policy was implemented, to prevent arbitrary iframes from asking for payments that the top origin didn't intend. But now that this attribute works and is default denied, it seems safe to allow top origins to delegate the ability to their own payment vendors in specific iframes.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20211002/7e387b35/attachment.htm>
More information about the webkit-unassigned
mailing list