Closed Bug 1318988 Opened 8 years ago Closed 7 years ago

Implement `allowPaymentRequest` on iframe

Categories

(Core :: DOM: Web Payments, defect, P3)

Product:
Core
Component:
DOM: Web Payments
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla56
Tracking Flags:
Tracking Status
firefox56 --- fixed

People

(Reporter: marcosc, Assigned: alchen)

References

(Blocks 2 open bugs,
URL
)

Details

(Keywords: dev-doc-complete)

Attachments

(1 file, 3 obsolete files)

Implement allowPaymentRequest on iframe. r=baku
12.03 KB, patch
alchen
: review+
Details | Diff | Splinter Review 
Controls if an iframe can access the PaymentRequest API.
No longer depends on: 1318987
Mapping the Trello_P1 priority to bugzilla P3.
Priority: -- → P3
Bug 1318988 has added 'allowPaymentRequest' on iframe, but permission check in PaymentRequest constructor is still required.
(In reply to Ben Tian [:btian] from comment #3)
> Bug 1318988 has added 'allowPaymentRequest' on iframe, but permission check
> in PaymentRequest constructor is still required.

Should be bug 1331899.
Component: DOM → DOM: Web Payments
Assignee: nobody → alchen
Attached patch WIP patch (obsolete) — Splinter Review 
We can pass a few web-platform-test by this patch.
In this patch, I also add a mochitest.
With this patch, We can pass the following web-platform-tests.

https://w3c-test.org/payment-request/allowpaymentrequest/
 -> active-document-cross-origin.https.sub.html
 -> active-document-same-origin.https.html
 -> allowpaymentrequest-attribute-cross-origin-bc-containers.https.html
 -> allowpaymentrequest-attribute-same-origin-bc-containers.https.html
 -> no-attribute-cross-origin-bc-containers.https.html
 -> no-attribute-same-origin-bc-containers.https.html
 -> basic.https.html
Attachment #8886064 - Flags: review?(amarchesini)
Comment on attachment 8886064 [details] [diff] [review]
Implement allowPaymentRequest on iframe

Review of attachment 8886064 [details] [diff] [review]:
-----------------------------------------------------------------

::: dom/payments/PaymentRequest.cpp
@@ +238,5 @@
> +  // If the node has the same origin as the parent node, the feature is allowed-to-use.
> +  // Otherwise, only allow-to-use this feature when the browsing context container is
> +  // an iframe with "allowpaymentrequest" attribute.
> +  nsCOMPtr<nsIDocument> doc = window->GetExtantDoc();
> +  nsINode* node = static_cast<nsINode*>(doc);

node can be null here. In this case return NS_ERROR_UNEXPECTED.
Attachment #8886064 - Flags: review?(amarchesini) → review+
Keywords: checkin-needed

        Attachment #8887302 -
        Attachment is obsolete: true

        Attachment #8887310 -
        Flags: review+

    
    

    
  
Pushed by ryanvm@gmail.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/2911ec8bebec
Implement allowPaymentRequest on iframe. r=baku
Keywords: checkin-needed

    
  
Blocks: 1382120

    
    

    
  
https://hg.mozilla.org/mozilla-central/rev/2911ec8bebec
Status: NEW → RESOLVED
Closed: 7 years ago

          status-firefox56:
          --- → fixed
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla56

    
    

    
  
Usually we don't mark features as available in iframes; we are more likely to mark a feature if it is explicitly not available in an iframe.

However, I appreciate that this feature's iframe availability is rather more critical than most (3rd party checkout apps, etc.), so I've put a note here about it:

https://developer.mozilla.org/en-US/docs/Web/API/Payment_Request_API#Payment_Request_Concepts_and_Usage

Do you think anything more is needed?
Keywords: dev-doc-neededdev-doc-complete

    
    

    
  
(In reply to Chris Mills (Mozilla, MDN editor) [:cmills] from comment #12)
> Usually we don't mark features as available in iframes; we are more likely
> to mark a feature if it is explicitly not available in an iframe.
> 
> However, I appreciate that this feature's iframe availability is rather more
> critical than most (3rd party checkout apps, etc.), so I've put a note here
> about it:
> 
> https://developer.mozilla.org/en-US/docs/Web/API/
> Payment_Request_API#Payment_Request_Concepts_and_Usage
> 
> Do you think anything more is needed?

I think you should add the note as the link below.
It is more accurate.
https://www.w3.org/TR/payment-request/#paymentrequest-and-iframe-elements

Thanks for your help.
Flags: needinfo?(cmills)

    
    

    
  
(In reply to Alphan Chen [:alchen] from comment #13)
> (In reply to Chris Mills (Mozilla, MDN editor) [:cmills] from comment #12)
> > Usually we don't mark features as available in iframes; we are more likely
> > to mark a feature if it is explicitly not available in an iframe.
> > 
> > However, I appreciate that this feature's iframe availability is rather more
> > critical than most (3rd party checkout apps, etc.), so I've put a note here
> > about it:
> > 
> > https://developer.mozilla.org/en-US/docs/Web/API/
> > Payment_Request_API#Payment_Request_Concepts_and_Usage
> > 
> > Do you think anything more is needed?
> 
> I think you should add the note as the link below.
> It is more accurate.
> https://www.w3.org/TR/payment-request/#paymentrequest-and-iframe-elements
> 
> Thanks for your help.

Ah, cool, thanks for the pointer.

I've updated my note so it is accurate, and I've also added an entry to the <iframe> page to explain the allowpaymentrequest attribute.

The equivalent DOM property is already documented:

https://developer.mozilla.org/en-US/docs/Web/API/HTMLIFrameElement
Flags: needinfo?(cmills)

    
    

    
  
(In reply to Chris Mills (Mozilla, MDN editor) [:cmills] from comment #14)
> 
> I've updated my note so it is accurate, and I've also added an entry to the
> <iframe> page to explain the allowpaymentrequest attribute.
> 
> The equivalent DOM property is already documented:
> 
> https://developer.mozilla.org/en-US/docs/Web/API/HTMLIFrameElement

There are some updates about this attribute.

[Current Definition]
To indicate that a "cross-origin" iframe is allowed to invoke the payment request API, the allowpaymentrequest attribute can be specified on the iframe element. 


The keyword is "cross-origin". 
If the iframe has the same origin, we don't need 'allowpaymentrequest' attribute to use the payment request API.
So we still need some refinement here.
Thanks.
Flags: needinfo?(cmills)

    
    

    
  
(In reply to Alphan Chen [:alchen] from comment #15)
> (In reply to Chris Mills (Mozilla, MDN editor) [:cmills] from comment #14)
> > 
> > I've updated my note so it is accurate, and I've also added an entry to the
> > <iframe> page to explain the allowpaymentrequest attribute.
> > 
> > The equivalent DOM property is already documented:
> > 
> > https://developer.mozilla.org/en-US/docs/Web/API/HTMLIFrameElement
> 
> There are some updates about this attribute.
> 
> [Current Definition]
> To indicate that a "cross-origin" iframe is allowed to invoke the payment
> request API, the allowpaymentrequest attribute can be specified on the
> iframe element. 
> 
> 
> The keyword is "cross-origin". 
> If the iframe has the same origin, we don't need 'allowpaymentrequest'
> attribute to use the payment request API.
> So we still need some refinement here.
> Thanks.

Ah, I missed that detail - thanks for pointing this out.

I've made sure the cross-origin detail is made clear in all the relevant places:

* https://developer.mozilla.org/en-US/docs/Web/API/Payment_Request_API#Payment_Request_Concepts_and_Usage
* https://developer.mozilla.org/en-US/docs/Web/API/HTMLIFrameElement#Properties
* https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe#Attributes
Flags: needinfo?(cmills)

    
  
Whiteboard: [WP-MVP][M4]

    
  
Whiteboard: [WP-MVP][M4]

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: