Bug 226345 - Support Apple Pay in cross-origin iframes with allow=payment attribute
Summary: Support Apple Pay in cross-origin iframes with allow=payment attribute
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebCore Misc. (show other bugs)
Version: Safari 14
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Nobody
Keywords: InRadar
Depends on:
Reported: 2021-05-27 10:40 PDT by Brad
Modified: 2024-04-04 08:02 PDT (History)
5 users (show)

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description Brad 2021-05-27 10:40:29 PDT
Web pages that use a third party payment vendor for a checkout flow may integrate the vendor in a cross-origin iframe to prevent the vendor from accessing non-payment data on the top level/main origin. However, this integration does not allow using Apple Pay due to this error: https://github.com/WebKit/WebKit/blob/Safari-612.1.11/Source/WebCore/Modules/applepay/PaymentSession.cpp#L63

The Payment Request spec supports this use case by allowing the top level/main origin to delegate payments permission to an iframe using the allow attribute: https://www.w3.org/TR/payment-request/#using-with-cross-origin-iframes. This opt-in mechanism prevents abuse by untrusted iframes because the top origin determines which of its children it intends to provide payments.

Safari/WebKit should support this attribute/use case in the Payment Request and Apple Pay APIs.
Comment 1 Devin Rousso 2021-05-27 22:14:26 PDT

*** This bug has been marked as a duplicate of bug 167417 ***
Comment 2 Brad 2021-10-01 17:49:34 PDT
The duplicate ticket didn't end up addressing this issue: https://bugs.webkit.org/show_bug.cgi?id=229406#c15

Could we get input from someone on Apple Pay on resolving this?
Comment 3 Radar WebKit Bug Importer 2022-02-15 09:28:37 PST
Comment 4 Javier López Navarro 2023-03-14 02:39:12 PDT
I have created a Pull Request on the WebKit repository with the changes suggested by Brad solving this issue.
Comment 5 EWS 2023-04-05 06:01:33 PDT
Committed 262616@main (fead01e13ad2): <https://commits.webkit.org/262616@main>

Reviewed commits have been landed. Closing PR #11485 and removing active labels.