NEW271409
ApplePay session can only be initialized from top-level domain even when using new allow="payment" attribute 
https://bugs.webkit.org/show_bug.cgi?id=271409
Summary ApplePay session can only be initialized from top-level domain even when usin...
RLambert
Reported 2024-03-21 13:39:45 PDT
As of Safari 17 (Release Notes [https://developer.apple.com/documentation/safari-release-notes/safari-17-release-notes#Apple-Pay]), ApplePay is supported within cross-origin iframes with the allow="payment" attribute. This attribute enables apple pay inside of nested iframes, so long as the each frame in the chain has this same allow="payment" attribute. Unfortunately, ApplePay can only be initialized using the top-level domain (https://developer.apple.com/documentation/apple_pay_on_the_web/applepaysession/1778021-onvalidatemerchant). The `onvalidatemerchant` call seems to always look at the top-level domain. This is discussed in detail on this GitHub thread: https://github.com/stripe/stripe-js/issues/484#issuecomment-1973933139 In my view, this defeats the purpose of the new allow="payment" attribute, as the parent frame must always be whitelisted under the domain of the child (assuming the child frame is the ApplePay Merchant). It would be best to use the child frame if the allow="payment" attribute is present. Happy to provide more details if needed.
Attachments
Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2024-03-28 13:40:15 PDT
<rdar://problem/125574910>
Ahmad Saleem
Comment 2 2024-04-03 06:10:25 PDT
Can you share reproducible test case or reduction to allow us to reproduce the issue?
Ahmad Saleem
Comment 3 2024-04-03 06:12:44 PDT
I tried following: https://stripe-payments-demo.appspot.com With Safari 17.4 and it seems to work with random test data.
RLambert
Comment 4 2024-04-03 07:08:00 PDT
(In reply to Ahmad Saleem from comment #3) > I tried following: > > https://stripe-payments-demo.appspot.com > > With Safari 17.4 and it seems to work with random test data. https://codepen.io/lambodispatch/pen/VwNyyOW Here is an example In the console you see "You have not registered or verified the domain, so the following payment methods are not enabled in the `paymentRequest`: - apple_pay We have indeed registered the domain for apple pay (see https://checkout-demo.dispatch.co/v1/checkout/001/654d0ed8ea4d425923470263 outside the iframe). You can see the top-level domain being used. I thought this was a Stripe issue but ApplePay actually requires you use the top-level domain or it cannot verify the session.
Note You need to log in before you can comment on or make changes to this bug.