Payment-request: Integration with Feature Policy

Created on 4 Sep 2017  路  11Comments  路  Source: w3c/payment-request

In V2, the spec should integrate with the Feature Policy spec. We need to investigate what this means and/or reverse engineer the Web Platform Tests that Google has submitted around this.

security-tracker Editorial CR-Exit Has Pull Request

All 11 comments

Soooooo.... we (Firefox) are about to land support for Feature Policy.

As part of that, we support:

  • IDL/JS: document.policy.allowsFeature('payment').
  • allow attribute.
  • HTTP header(s?).

@aestes, I see from caniuse.com that Safari supports the allow attribute at least.

@rsolomakhin, what's the status on the Chrome side? I know you guys did a bunch of work on feature policy early on.

It could be an easy win here for 1.1 given that we are somewhat aligned on implementation.

So, for integration, all we do is add:
https://github.com/WICG/feature-policy/blob/master/features.md#payment

To our spec. Imma cc'ing @clelland in case I missed something and for any additional guidance.

I believe it's fully implemented in Chrome, but I've pinged the code owner to provide a more nuanced and accurate answer as well.

cc @loonybear

Re what's the status on the Chrome side?

  • Feature-Policy HTTP Header Field

    • Note: there was a discussion about change "Feature-Policy" to "Allow" at one point but AFAIK, there weren't any action upon that.

  • iframe allow attribute
  • JS introspection:

    • allowsFeature(feature, optional url);

    • allowedFeatures();

    • getAllowlistForFeature(DOMString feature);

    • Note: these JS APIs are currently in origin trial. We have them implemented but I don't think they are fully shipped yet. @clelland would know more

  • In terms of features, we have a bunch supported:
    Permission based like "camera", "geolocation", "microphone", "midi", "speaker", etc
    Other things like: "fullscreen", "sync-xhr", "vr", etc
    Meanwhile, we have experimental features such as "payment", "picture-in-picture", "usb", etc

Hope that helps.

@marcoscaceres, that sounds about right; the JS is a bit more complex than that[1], but the details are in the spec.

The only other piece I can think of that's specifically relevant for payment request is supporting both feature policy and the original <iframe allowpaymentrequest> mechanism. There is some text in HTML, but the best description of what to do is in the Feature Policy spec under Additional attributes to support legacy features and the Process feature policy attributes algorithm.

[1] There's also a document.policy.allowedFeatures array which should include "payment" when allowed, and a bit of subtlety around HTMLIFrameElement.policy to avoid cross-origin info leaks

Re https://github.com/w3c/payment-request/issues/600#issuecomment-421393998,

I realized that we can't rename the header field to Allow, since that's already a thing.

@clelland, thanks! Ok, so it looks like all we would need is a non-normative section in Payment Request pointing to those sections of Feature Policy.

I think there might even be WPTests already for testing that FP and allowpaymentrequest work correctly, so we might be all good.

Marking this as Editorial, and setting it as CR exit target - as I think it might be nice to ship with this in V1. There won't be a normative dependency on FP, but if other vendors implement FP, they get the right behavior 馃

@marcoscaceres, just a note that Feature Policy was published today as a FPWD:
https://www.w3.org/TR/2019/WD-feature-policy-1-20190416/

Excellent, thanks for the update.

Was this page helpful?
0 / 5 - 0 ratings