Web pages that use a third party payment vendor for a checkout flow may integrate the vendor in a cross-origin iframe to prevent the vendor from accessing non-payment data on the top level/main origin. However, this integration does not allow using Apple Pay due to this error: https://github.com/WebKit/WebKit/blob/Safari-612.1.11/Source/WebCore/Modules/applepay/PaymentSession.cpp#L63 The Payment Request spec supports this use case by allowing the top level/main origin to delegate payments permission to an iframe using the allow attribute: https://www.w3.org/TR/payment-request/#using-with-cross-origin-iframes. This opt-in mechanism prevents abuse by untrusted iframes because the top origin determines which of its children it intends to provide payments. Safari/WebKit should support this attribute/use case in the Payment Request and Apple Pay APIs.
*** This bug has been marked as a duplicate of bug 167417 ***
The duplicate ticket didn't end up addressing this issue: https://bugs.webkit.org/show_bug.cgi?id=229406#c15 Could we get input from someone on Apple Pay on resolving this?
<rdar://problem/88969594>
I have created a Pull Request on the WebKit repository with the changes suggested by Brad solving this issue. https://github.com/WebKit/WebKit/pull/11485
Committed 262616@main (fead01e13ad2): <https://commits.webkit.org/262616@main> Reviewed commits have been landed. Closing PR #11485 and removing active labels.