Bug 226345

Summary: Support Apple Pay in cross-origin iframes with allow=payment attribute
Product: WebKit Reporter: Brad <brad.girardeau>
Component: WebCore Misc.Assignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: aestes, anthony, hi, javier, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: Safari 14   
Hardware: Unspecified   
OS: Unspecified   
See Also: https://bugs.webkit.org/show_bug.cgi?id=167417
https://bugs.webkit.org/show_bug.cgi?id=258217
https://bugs.webkit.org/show_bug.cgi?id=259667

Brad
Reported 2021-05-27 10:40:29 PDT
Web pages that use a third party payment vendor for a checkout flow may integrate the vendor in a cross-origin iframe to prevent the vendor from accessing non-payment data on the top level/main origin. However, this integration does not allow using Apple Pay due to this error: https://github.com/WebKit/WebKit/blob/Safari-612.1.11/Source/WebCore/Modules/applepay/PaymentSession.cpp#L63 The Payment Request spec supports this use case by allowing the top level/main origin to delegate payments permission to an iframe using the allow attribute: https://www.w3.org/TR/payment-request/#using-with-cross-origin-iframes. This opt-in mechanism prevents abuse by untrusted iframes because the top origin determines which of its children it intends to provide payments. Safari/WebKit should support this attribute/use case in the Payment Request and Apple Pay APIs.
Attachments
Add attachment proposed patch, testcase, etc.
Devin Rousso
Comment 1 2021-05-27 22:14:26 PDT
*** This bug has been marked as a duplicate of bug 167417 ***
Brad
Comment 2 2021-10-01 17:49:34 PDT
The duplicate ticket didn't end up addressing this issue: https://bugs.webkit.org/show_bug.cgi?id=229406#c15 Could we get input from someone on Apple Pay on resolving this?
Radar WebKit Bug Importer
Comment 3 2022-02-15 09:28:37 PST
<rdar://problem/88969594>
Javier López Navarro
Comment 4 2023-03-14 02:39:12 PDT
I have created a Pull Request on the WebKit repository with the changes suggested by Brad solving this issue. https://github.com/WebKit/WebKit/pull/11485
EWS
Comment 5 2023-04-05 06:01:33 PDT
Committed 262616@main (fead01e13ad2): <https://commits.webkit.org/262616@main> Reviewed commits have been landed. Closing PR #11485 and removing active labels.
Note You need to log in before you can comment on or make changes to this bug.