[Webkit-unassigned] [Bug 271409] New: ApplePay session can only be initialized from top-level domain even when using new allow="payment" attribute
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu Mar 21 13:39:45 PDT 2024
https://bugs.webkit.org/show_bug.cgi?id=271409
Bug ID: 271409
Summary: ApplePay session can only be initialized from
top-level domain even when using new allow="payment"
attribute
Product: WebKit
Version: Safari 17
Hardware: Unspecified
OS: Unspecified
Status: NEW
Severity: Normal
Priority: P2
Component: Frames
Assignee: webkit-unassigned at lists.webkit.org
Reporter: appsbylamby at gmail.com
As of Safari 17 (Release Notes [https://developer.apple.com/documentation/safari-release-notes/safari-17-release-notes#Apple-Pay]), ApplePay is supported within cross-origin iframes with the allow="payment" attribute.
This attribute enables apple pay inside of nested iframes, so long as the each frame in the chain has this same allow="payment" attribute.
Unfortunately, ApplePay can only be initialized using the top-level domain (https://developer.apple.com/documentation/apple_pay_on_the_web/applepaysession/1778021-onvalidatemerchant). The `onvalidatemerchant` call seems to always look at the top-level domain. This is discussed in detail on this GitHub thread: https://github.com/stripe/stripe-js/issues/484#issuecomment-1973933139
In my view, this defeats the purpose of the new allow="payment" attribute, as the parent frame must always be whitelisted under the domain of the child (assuming the child frame is the ApplePay Merchant).
It would be best to use the child frame if the allow="payment" attribute is present.
Happy to provide more details if needed.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20240321/9149d24b/attachment.htm>
More information about the webkit-unassigned
mailing list