Invoke "allowed to use" always (#383)

* Invoke "allowed to use" always The old text was only invoking "allowed to use" for non-top-level browsing contexts, which means the active document check is not done for the top-level document case. The old text was only invoking "allowed to use" if a document in the chain of ancestor browsing contexts were not same origin, but this does not match Chromium. Chromium will throw an exception for PaymentRequest in an iframe even if it's same origin. It also means that if everything *is* same origin, then the active document check in "allowed to use" would not be called. The use case for allowpaymentrequest must be to allow cross-origin documents in iframes to make payments. Otherwise, if everything is same-origin, the document could just construct top.PaymentRequest to bypass any checks, or set the allowpaymentrequest attribute on its frameElement. Fixes #361. The active document check in "allowed to use" was added in whatwg/html#2160. * style: fix a few markup nit
w3c · Jan 11, 2017 · 1f06fae · 1f06fae
1 parent 7527c12
commit 1f06fae
Showing 1 changed file with 4 additions and 35 deletions.
diff --git a/index.html b/index.html
@@ -355,23 +355,10 @@ <h2>
           <li>If a <code>paymentRequestID</code> was not provided during
           construction, generate a <code>paymentRequestID</code>.
           </li>
-          <li>If the <a>current settings object</a> has a <a>responsible
-          browsing context</a> that is not a <a>top-level browsing context</a>,
-          then
-            <ol>
-              <li>Let <var>context</var> be the <a>nested browsing context</a>.
-              </li>
-              <li>Let <var>origin</var> be the origin of the <a>active
-              document</a> of <var>context</var>.
-              </li>
-              <li>If any <a>ancestor browsing context</a> of <var>context</var>
-              has an <a>active document</a> with an origin that is not the same
-              as <var>origin</var> and <var>context</var>'s <a>active
-              document</a> is not <a>allowed to use</a> the feature indicated
-              by attribute name <a><code>allowpaymentrequest</code></a>, then
-              <a>throw</a> a <a>SecurityError</a>.
-              </li>
-            </ol>
+          <li>If the <a>current settings object</a>'s
+          <a data-cite="!html5#responsible-document">responsible document</a> is not <a>allowed to use</a> the feature
+          indicated by attribute name <a>allowpaymentrequest</a>,
+          then <a>throw</a> a <a>SecurityError</a>.
           </li>
           <li>Let <var>parsedMethodData</var> be an empty list.
           </li>
@@ -2337,21 +2324,6 @@ <h2>
             <li>
               <dfn>node document</dfn>
             </li>
-            <li>
-              <dfn>browsing context</dfn>
-            </li>
-            <li>
-              <dfn>browsing context container</dfn>
-            </li>
-            <li>
-              <dfn>nested browsing context</dfn>
-            </li>
-            <li>
-              <dfn>responsible browsing context</dfn>
-            </li>
-            <li>
-              <dfn>ancestor browsing context</dfn>
-            </li>
             <li>
               <dfn>top-level browsing context</dfn>
             </li>
@@ -2361,9 +2333,6 @@ <h2>
             <li>
               <dfn>allowed to use</dfn>
             </li>
-            <li>
-              <dfn>active document</dfn>
-            </li>
             <li>
               <dfn>in parallel</dfn>
             </li>