Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Should the Payment Request API only be available in a top-level browsing context? #2

Closed
adrianba opened this issue Mar 2, 2016 · 14 comments
Assignees
Labels
Core Functionality help wanted Priority: Medium security-tracker Group bringing to attention of security, or tracked by the security Group but not needing response.

Comments

@adrianba
Copy link
Contributor

adrianba commented Mar 2, 2016

This issue comes from WICG/paymentrequest#30 and was discussed at the F2F.

@mattsaxon
Copy link
Contributor

The proposals made at the f2f would significantly impact the user experience for merchants. Many small or even large merchant use iframe in their payment processing to delegate to a 3rd party.

Today is is possible for iframe to request payments, so a move to the user agent mediated approach is a massive step in the right direction for security.

The user-agent can do lots to call out who the payment request is being made and we could even do things such as allow a merchant's website to nominate which iframes should be allowed to request payments.

@adrianhopebailie
Copy link
Collaborator

In TAG review @triblondon said:

[This issue discusses] whether iframes should be able to request payment. It seems like a severe limitation to me to prohibit that mode of use.

@adrianhopebailie
Copy link
Collaborator

We require a comprehensive proposal to address this use case that considers how a merchant may put an iframe into their site that is able to call the payments API but only with the explicit permission of the merchant.

We should also consider what user permissions should be required for this and consult with @w3c/webappsec-admin for guidance.

@wseltzer wseltzer added the security-tracker Group bringing to attention of security, or tracked by the security Group but not needing response. label Apr 12, 2016
@adrianhopebailie adrianhopebailie modified the milestones: Priority: High, Discuss on Call - 28 April, Discuss on Call - 5 May Apr 22, 2016
@adrianhopebailie adrianhopebailie modified the milestones: 5 May, 12 May May 12, 2016
@adrianhopebailie adrianhopebailie modified the milestones: 19 May, 12 May May 18, 2016
@adrianhopebailie
Copy link
Collaborator

A proposal is required for how the API may be safely exposed in lower level contexts (like iframes)

@dlongley
Copy link

dlongley commented Jun 9, 2016

Reminder that a future-looking use of this API is to be able to call it on, for example, search results. Merchants could publish digitally-signed payment requests where they don't care how someone happens to find it. A search engine could make these available to be clicked on for immediate purchases via search results.

Search results used to just be a list of blue links on a page and they have since become filled with very rich structured data, images, and interactive displays. They could be further augmented with the ability to make purchases much more quickly and seamlessly.

There may also be cases where IoT devices (w/o "merchant websites") publish digitally-signed payment requests w/push based payment that would require this API to be called in different contexts.

@webpayments-specs
Copy link

On Thu, Jun 9, 2016 at 12:09 PM, Dave Longley [email protected]
wrote:

There may also be cases where IoT devices (w/o "merchant websites")
publish digitally-signed payment requests w/push based payment that would
require this API to be called in different contexts.

Think soda vending machine. This is a really interesting use case,
actually.

Shane McCarron
Projects Manager, Spec-Ops

@adrianhopebailie adrianhopebailie modified the milestone: 23 June Jun 22, 2016
@adamroach
Copy link
Contributor

adamroach commented Jun 24, 2016

I finally cornered one of our security people on this. He points out that the kind of thing we're trying to do is congruent with the delegated permissions work currently underway.

I propose we adopt this approach, which allows both declarative and imperative delegation of extra permissions to iframes.

Declaratively:

<iframe src="..." permissions="payment">

Imperatively:

var iframe = document.getElementById('payment_frame');
navigator.permissions.delegate({embedee: iframe, name: 'payment'}).then(
  function() {
    // Delegation succeeded.
  }).catch(function() {
    // Delegation failed.
  });

In particular, we beleive that using the sandbox attribute for this purpose, as was discussed last month, is the wrong tool for this job, as it removes capabilities, rather than adding them.

@adrianhopebailie
Copy link
Collaborator

+1 @adamroach

@zkoch - you proposed the sandbox attribute. What are your thoughts?

@zkoch
Copy link
Contributor

zkoch commented Jun 27, 2016

I think this is great. We should find out what the timetable for this is. Since both authors are from Google, I'll reach out. :)

@sideshowbarker
Copy link
Contributor

from @zkoch:

I think this is great. We should find out what the timetable for this is. Since both authors are from Google, I'll reach out. :)

To be clear on what that comment is referring to (there’s no comment threading in github issue trackers, so the context gets lost easily…), it seems clear it’s in reply to @adamroach’s comment at #2 (comment):

the kind of thing we're trying to do is congruent with the delegated permissions work currently underway.

I propose we adopt this approach, which allows both declarative and imperative delegation of extra permissions to iframes.

…which refers to the draft spec at https://noncombatant.github.io/permission-delegation-api/ (from the WebAppSec WG) authored by @raymeskhoury and @noncombatant (Chris Palmer).

@zkoch
Copy link
Contributor

zkoch commented Jun 29, 2016

Wanted to update this. I've reached out and talked to a few people on our security team. It sounds as though delegated permissions is being merged into Feature Policy. I think Feature Policy still has what we need. According to one of the editors, they expect to support cascading permissions, so this would work for our needs.

Issue #18 on the Feature Policy repo has been added to track support for web payments.

@adrianhopebailie
Copy link
Collaborator

Awesome stuff! Thanks @zkoch

@sideshowbarker
Copy link
Contributor

sideshowbarker commented Aug 10, 2016

FYI we’re adding a payment-request-in-iframe test to web-platforms-tests, which is just a copy of the test from Chromium third_party/WebKit/LayoutTests/payments/payment-request-in-iframe.html and can currently be run here:

https://w3c-test.org/submissions/3440/payment-request/payment-request-in-iframe.html

So, if the resolution for this issue results in a change to the expected result for that test, then we need to remember to update the test at that time.

cc @halindrome

@adamroach
Copy link
Contributor

Note: We need to re-evaluate question 3.13 of the Security and Privacy Checklist once this issue is closed. See https://docs.google.com/document/d/1w7ginyzNg-xZUmITK4vzcGUKB4gbMOAvlkWWaRtX14k/edit?usp=sharing for additional detail

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Core Functionality help wanted Priority: Medium security-tracker Group bringing to attention of security, or tracked by the security Group but not needing response.
Projects
None yet
Development

No branches or pull requests

9 participants