<rdar://problem/118140368>

Thanks for filing, can you please provide a link to a test case if you have one?

Here's a link the original safari 17.0 update I'm referring to: https://github.com/WebKit/WebKit/blob/main/LayoutTests/http/tests/paymentrequest/payment-allow-attribute.https-expected.txt The above test case is still working from what I can tell. The issue I'm now seeing is on Safari >= 17.1 where the Apple Pay payment sheet cancels itself upon completeMerchantValidation within a third-party iFrame. There are no additional error details in the console either.

Created attachment 468537 [details] Payment Request Merchant Validation

To clarify, what Smoley is asking for is specific steps to reproduce ("open this URL, click here, and then this happens instead of that"). Linking to our regression test does not explain the issue, as we do not have any history of it failing in Safari 17.1 or anywhere else recently.

Created attachment 468538 [details] Apple Pay Cross-origin frame test cases These are the two test cases for cross-origin Apple Pay on Safari 17.0 vs 17.1

Copied from that file below. I am not certain if we can quickly route this without a specific URL (this essentially asks us to build our own test), but we can try. Scenario 1 (error): Prerequisites: Safari 17.1 browser, An iFrame that contains an Apple Pay button lives on third-party website 1. Navigate to third party site 2. Open up the iFrame 3. Click Apple Pay button 4. Apple Pay payment sheet opens up 5. See 'Payment Not Complete' and Apple Pay payment sheet close Scenario 2 (success): Prerequisites: Safari 17.0 browser, An iFrame that contains an Apple Pay button lives on third-party website 1. Navigate to third party site 2. Open up the iFrame 3. Click Apple Pay button 4. Apple Pay payment sheet open up 5. Apple Pay payment sheet shows touchID to complete payment

The tests I'm running are on my local machine & I'm prevented from getting Apple Pay to a live environment at this time. I am happy to assist with any questions you might have to get your test(s) working.

Hi jwoody2014@yahoo.com, thanks for filing the report. Nothing of note has changed in this area between iOS 17.0 and iOS 17.1. From some of our local testing, we think this is behaving as expected. The host in the merchant session (`domainName`) needs to match the host of the originating URL WebKit set (which is the top document). Cross-origin iframe support requires the merchant session to be for the top-level host, not the iframe. If we don’t do that then all the Apple Pay payments for your website get reported as “<payment-provider-iframe-url>” which erodes security measures to identify problematic sites.

Marking as INVALID per the above. Please feel free to re-open if you have a specific scenario that you believe should work, and does not.