sortable icon indicating copy to clipboard operation
sortable copied to clipboard

Published 20 hours ago verified publisher icon tofsjonas

Allow user activation to be delegated to a child frame to trigger request.show()

Open danyao opened this issue 4 years ago • 13 comments

Proxying a request from Stripe: A lot of PSPs allow merchants to fully control the look-and-feel of the checkout flow, including the "pay" button. The PSP code is embedded inside an iframe and interacts with PaymentRequest. Since the current Payment Request API spec requires a user activation to trigger request.show(), the aforementioned flow is impossible to implement in a spec-compliant browser because user activation cannot be delegated to child frames.

I think we should consider a modification of the User Activation Delegation through postMessages proposal (https://github.com/w3ctag/design-reviews/issues/347) to allow the user activation token to be passed into an iframe for the purpose of triggering request.show(). By narrowing the scope of the original proposal to just the payments feature, I think we can side step the security and UX concerns in the original proposal.

@marcoscaceres WDYT?

@mustaqahmed FYI

danyao avatar Jun 17 '20 22:06 danyao