[Webkit-unassigned] [Bug 265130] New: New allow="payment" attribute does not work in nested iFrame lacking the src attribute

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Mon Nov 20 06:14:21 PST 2023 

https://bugs.webkit.org/show_bug.cgi?id=265130

            Bug ID: 265130
           Summary: New allow="payment" attribute does not work in nested
                    iFrame lacking the src attribute
           Product: WebKit
           Version: Safari 17
          Hardware: All
                OS: All
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: Frames
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: appsbylamby at gmail.com

As of Safari 17 (Release Notes [https://developer.apple.com/documentation/safari-release-notes/safari-17-release-notes#Apple-Pay]), ApplePay is supported within cross-origin iframes with the allow="payment" attribute.

This attribute enables apple pay even when nesting iframes, so long as the each frame in the chain has this same allow="payment" attribute.

Unfortunately, the chain appears to break when a parent iframe lacks a src attribute. I believe this is because the rule also requires a secure https host. I noticed this behavior when testing the new allow="payment" attribute within a Google Ad which nests content within an iframe like this example:

<iframe id="google_ads_iframe_/6782/GenAptTherapy/Post/Right_Rail/Right_Rail_001_0" name="google_ads_iframe_/6782/GenAptTherapy/Post/Right_Rail/Right_Rail_001_0" title="3rd party ad content" width="300" height="600" scrolling="no" marginwidth="0" marginheight="0" frameborder="0" role="region" aria-label="Advertisement" tabindex="0" allow="payment; attribution-reporting" style="border: 0px; vertical-align: bottom;" data-load-complete="true" data-google-container-id="2">

// #document
// ... our iframe containing allow="payment" attribute <iframe allow="payment src="https://example.com" />

</iframe>

Notice how the parent lacks a "src" attribute. It works fine when a src attribute is applied to the parent. In the console, I see complaints about the request to Apple Pay failing and a complaint about the parent frame not being secure (because it lacks a src attribute).

My proposal is to allow the payment attribute when the parent frame lacks the src attribute.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20231120/50b18832/attachment-0001.htm>

More information about the webkit-unassigned mailing list