Bug 226345

Summary: Support Apple Pay in cross-origin iframes with allow=payment attribute
Product: WebKit Reporter: Brad <brad.girardeau>
Component: WebCore Misc.Assignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: aestes, anthony, hi, javier, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: Safari 14   
Hardware: Unspecified   
OS: Unspecified   
See Also: https://bugs.webkit.org/show_bug.cgi?id=167417
https://bugs.webkit.org/show_bug.cgi?id=258217
https://bugs.webkit.org/show_bug.cgi?id=259667

Description Brad 2021-05-27 10:40:29 PDT 
Web pages that use a third party payment vendor for a checkout flow may integrate the vendor in a cross-origin iframe to prevent the vendor from accessing non-payment data on the top level/main origin. However, this integration does not allow using Apple Pay due to this error: https://github.com/WebKit/WebKit/blob/Safari-612.1.11/Source/WebCore/Modules/applepay/PaymentSession.cpp#L63

The Payment Request spec supports this use case by allowing the top level/main origin to delegate payments permission to an iframe using the allow attribute: https://www.w3.org/TR/payment-request/#using-with-cross-origin-iframes. This opt-in mechanism prevents abuse by untrusted iframes because the top origin determines which of its children it intends to provide payments.

Safari/WebKit should support this attribute/use case in the Payment Request and Apple Pay APIs.
Comment 1 Devin Rousso 2021-05-27 22:14:26 PDT 

*** This bug has been marked as a duplicate of bug 167417 ***
Comment 2 Brad 2021-10-01 17:49:34 PDT 
The duplicate ticket didn't end up addressing this issue: https://bugs.webkit.org/show_bug.cgi?id=229406#c15

Could we get input from someone on Apple Pay on resolving this?
Comment 3 Radar WebKit Bug Importer 2022-02-15 09:28:37 PST 
<rdar://problem/88969594>
Comment 4 Javier López Navarro 2023-03-14 02:39:12 PDT 
I have created a Pull Request on the WebKit repository with the changes suggested by Brad solving this issue.
https://github.com/WebKit/WebKit/pull/11485
Comment 5 EWS 2023-04-05 06:01:33 PDT 
Committed 262616@main (fead01e13ad2): <https://commits.webkit.org/262616@main>

Reviewed commits have been landed. Closing PR #11485 and removing active labels.