Implement `allowPaymentRequest` on iframe

RESOLVED FIXED in Firefox 56

Status

()

defect
P3
normal
RESOLVED FIXED
3 years ago
2 years ago

People

(Reporter: marcosc, Assigned: alchen)

Tracking

(Blocks 2 bugs, {dev-doc-complete})

unspecified
mozilla56
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(firefox56 fixed)

Details

()

Attachments

(1 attachment, 3 obsolete attachments)

Reporter

Description

3 years ago
Controls if an iframe can access the PaymentRequest API.
Reporter

Updated

3 years ago
No longer depends on: 1318987
Mapping the Trello_P1 priority to bugzilla P3.
Priority: -- → P3
Bug 1318988 has added 'allowPaymentRequest' on iframe, but permission check in PaymentRequest constructor is still required.
(In reply to Ben Tian [:btian] from comment #3)
> Bug 1318988 has added 'allowPaymentRequest' on iframe, but permission check
> in PaymentRequest constructor is still required.

Should be bug 1331899.
Component: DOM → DOM: Web Payments
Assignee

Updated

2 years ago
Assignee: nobody → alchen
Assignee

Comment 5

2 years ago
Posted patch WIP patch (obsolete) — Splinter Review
We can pass a few web-platform-test by this patch.
In this patch, I also add a mochitest.
Assignee

Comment 6

2 years ago
With this patch, We can pass the following web-platform-tests.

https://w3c-test.org/payment-request/allowpaymentrequest/
 -> active-document-cross-origin.https.sub.html
 -> active-document-same-origin.https.html
 -> allowpaymentrequest-attribute-cross-origin-bc-containers.https.html
 -> allowpaymentrequest-attribute-same-origin-bc-containers.https.html
 -> no-attribute-cross-origin-bc-containers.https.html
 -> no-attribute-same-origin-bc-containers.https.html
 -> basic.https.html
Attachment #8886064 - Flags: review?(amarchesini)
Comment on attachment 8886064 [details] [diff] [review]
Implement allowPaymentRequest on iframe

Review of attachment 8886064 [details] [diff] [review]:
-----------------------------------------------------------------

::: dom/payments/PaymentRequest.cpp
@@ +238,5 @@
> +  // If the node has the same origin as the parent node, the feature is allowed-to-use.
> +  // Otherwise, only allow-to-use this feature when the browsing context container is
> +  // an iframe with "allowpaymentrequest" attribute.
> +  nsCOMPtr<nsIDocument> doc = window->GetExtantDoc();
> +  nsINode* node = static_cast<nsINode*>(doc);

node can be null here. In this case return NS_ERROR_UNEXPECTED.
Attachment #8886064 - Flags: review?(amarchesini) → review+
Assignee

Updated

2 years ago
Keywords: checkin-needed
Assignee

Comment 9

2 years ago
Attachment #8887302 - Attachment is obsolete: true
Attachment #8887310 - Flags: review+

Comment 10

2 years ago
Pushed by ryanvm@gmail.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/2911ec8bebec
Implement allowPaymentRequest on iframe. r=baku
Keywords: checkin-needed

Updated

2 years ago
Blocks: 1382120

Comment 11

2 years ago
bugherder
https://hg.mozilla.org/mozilla-central/rev/2911ec8bebec
Status: NEW → RESOLVED
Last Resolved: 2 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla56
Usually we don't mark features as available in iframes; we are more likely to mark a feature if it is explicitly not available in an iframe.

However, I appreciate that this feature's iframe availability is rather more critical than most (3rd party checkout apps, etc.), so I've put a note here about it:

https://developer.mozilla.org/en-US/docs/Web/API/Payment_Request_API#Payment_Request_Concepts_and_Usage

Do you think anything more is needed?
Assignee

Comment 13

2 years ago
(In reply to Chris Mills (Mozilla, MDN editor) [:cmills] from comment #12)
> Usually we don't mark features as available in iframes; we are more likely
> to mark a feature if it is explicitly not available in an iframe.
> 
> However, I appreciate that this feature's iframe availability is rather more
> critical than most (3rd party checkout apps, etc.), so I've put a note here
> about it:
> 
> https://developer.mozilla.org/en-US/docs/Web/API/
> Payment_Request_API#Payment_Request_Concepts_and_Usage
> 
> Do you think anything more is needed?

I think you should add the note as the link below.
It is more accurate.
https://www.w3.org/TR/payment-request/#paymentrequest-and-iframe-elements

Thanks for your help.
Flags: needinfo?(cmills)
(In reply to Alphan Chen [:alchen] from comment #13)
> (In reply to Chris Mills (Mozilla, MDN editor) [:cmills] from comment #12)
> > Usually we don't mark features as available in iframes; we are more likely
> > to mark a feature if it is explicitly not available in an iframe.
> > 
> > However, I appreciate that this feature's iframe availability is rather more
> > critical than most (3rd party checkout apps, etc.), so I've put a note here
> > about it:
> > 
> > https://developer.mozilla.org/en-US/docs/Web/API/
> > Payment_Request_API#Payment_Request_Concepts_and_Usage
> > 
> > Do you think anything more is needed?
> 
> I think you should add the note as the link below.
> It is more accurate.
> https://www.w3.org/TR/payment-request/#paymentrequest-and-iframe-elements
> 
> Thanks for your help.

Ah, cool, thanks for the pointer.

I've updated my note so it is accurate, and I've also added an entry to the <iframe> page to explain the allowpaymentrequest attribute.

The equivalent DOM property is already documented:

https://developer.mozilla.org/en-US/docs/Web/API/HTMLIFrameElement
Flags: needinfo?(cmills)
Assignee

Comment 15

2 years ago
(In reply to Chris Mills (Mozilla, MDN editor) [:cmills] from comment #14)
> 
> I've updated my note so it is accurate, and I've also added an entry to the
> <iframe> page to explain the allowpaymentrequest attribute.
> 
> The equivalent DOM property is already documented:
> 
> https://developer.mozilla.org/en-US/docs/Web/API/HTMLIFrameElement

There are some updates about this attribute.

[Current Definition]
To indicate that a "cross-origin" iframe is allowed to invoke the payment request API, the allowpaymentrequest attribute can be specified on the iframe element. 


The keyword is "cross-origin". 
If the iframe has the same origin, we don't need 'allowpaymentrequest' attribute to use the payment request API.
So we still need some refinement here.
Thanks.
Flags: needinfo?(cmills)
(In reply to Alphan Chen [:alchen] from comment #15)
> (In reply to Chris Mills (Mozilla, MDN editor) [:cmills] from comment #14)
> > 
> > I've updated my note so it is accurate, and I've also added an entry to the
> > <iframe> page to explain the allowpaymentrequest attribute.
> > 
> > The equivalent DOM property is already documented:
> > 
> > https://developer.mozilla.org/en-US/docs/Web/API/HTMLIFrameElement
> 
> There are some updates about this attribute.
> 
> [Current Definition]
> To indicate that a "cross-origin" iframe is allowed to invoke the payment
> request API, the allowpaymentrequest attribute can be specified on the
> iframe element. 
> 
> 
> The keyword is "cross-origin". 
> If the iframe has the same origin, we don't need 'allowpaymentrequest'
> attribute to use the payment request API.
> So we still need some refinement here.
> Thanks.

Ah, I missed that detail - thanks for pointing this out.

I've made sure the cross-origin detail is made clear in all the relevant places:

* https://developer.mozilla.org/en-US/docs/Web/API/Payment_Request_API#Payment_Request_Concepts_and_Usage
* https://developer.mozilla.org/en-US/docs/Web/API/HTMLIFrameElement#Properties
* https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe#Attributes
Flags: needinfo?(cmills)

Updated

2 years ago
Whiteboard: [WP-MVP][M4]

Updated

2 years ago
Whiteboard: [WP-MVP][M4]
You need to log in before you can comment on or make changes to this bug.