126126 version are as follows. The complete list of changes, including all
127127 editorial changes, is viewable in the < a href =
128128 "https://github.com/w3c/payment-request/commits/gh-pages "> commit
129- history</ a > .
129+ history</ a > . Key set of changes are viewable in the < a href =
130+ "#changelog "> Changelog</ a > .
130131 </ p >
131132 < ul >
132133 < li > Added support for notification when the user selects a payment
161162 </ li >
162163 < li > Defined handling of multiple applicable modifiers.
163164 </ li >
165+ < li > Deprecated `allowpaymentrequest` attribute.
166+ </ li >
164167 </ ul >
165168 </ section >
166169 </ section >
@@ -594,6 +597,29 @@ <h3>
594597 doPaymentRequest();
595598 </ pre >
596599 </ section >
600+ < section >
601+ < h2 >
602+ Using with cross-origin iframes
603+ </ h2 >
604+ < p >
605+ To indicate that a cross-origin [^iframe^] is allowed to invoke the
606+ payment request API, the [^iframe/allow^] attribute along with the
607+ "payment" keyword can be specified on the [^iframe^] element.
608+ </ p >
609+ < pre class ="example html " title =
610+ "Using Payment Request API with cross-origin iframes ">
611+ <iframe
612+ src="https://cross-origing.example"
613+ allow="payment">
614+ </iframe>
615+ </ pre >
616+ < p >
617+ If the [^iframe^] will be navigated across multiple origins that
618+ support the Payment Request API, then one can set [^iframe/allow^] to
619+ `"payment *"`. The [[[permissions-policy]]] specification provides
620+ further details and examples.
621+ </ p >
622+ </ section >
597623 </ section >
598624 < section data-dfn-for ="PaymentRequest ">
599625 < h2 >
@@ -3574,18 +3600,6 @@ <h2>
35743600 </ table >
35753601 </ section >
35763602 </ section >
3577- < section class ="informative ">
3578- < h2 >
3579- < code > PaymentRequest</ code > and < code > iframe</ code > elements
3580- </ h2 >
3581- < p >
3582- To indicate that a cross-origin [^iframe^] is allowed to invoke the
3583- payment request API, the [^iframe/allowpaymentrequest^] attribute can
3584- be specified on the [^iframe^] element. See [[[#permissions-policy]]]
3585- for details of how [^iframe/allowoaymentrequest=] and
3586- [[[permissions-policy]]] interact.
3587- </ p >
3588- </ section >
35893603 < section id ="permissions-policy " data-cite ="permissions-policy ">
35903604 < h2 >
35913605 Permissions Policy integration
@@ -3596,25 +3610,15 @@ <h2>
35963610 ""> payment</ dfn > </ code > ". Its < a > default allowlist</ a > is
35973611 '< code > self</ code > '.
35983612 </ p >
3599- < div class ="note ">
3613+ < aside class ="note ">
36003614 < p >
36013615 A < a > document</ a > ’s [=Document/permissions policy=] determines
36023616 whether any content in that document is allowed to construct
36033617 {{PaymentRequest}} instances. If disabled in any document, no content
36043618 in the document will be < a > allowed to use</ a > the {{PaymentRequest}}
36053619 constructor (trying to create an instance will throw).
36063620 </ p >
3607- < p >
3608- The [^iframe/allowpaymentrequest^] attribute of the HTML
3609- < a > iframe</ a > element affects the < a > container policy</ a > for any
3610- document nested in that iframe. Unless overridden by the
3611- [^iframe/allow^] attribute, setting [^iframe/allowpaymentrequest^] on
3612- an iframe is equivalent to `<iframe allow="fullscreen *">`, as
3613- described in < a data-cite =
3614- "permissions-policy#iframe-allowpaymentrequest-attribute "> Permissions
3615- Policy §allowpaymentrequest</ a > .
3616- </ p >
3617- </ div >
3621+ </ aside >
36183622 </ section >
36193623 < section >
36203624 < h2 >
@@ -5179,7 +5183,7 @@ <h2>
51795183 It is common for merchants and other payees to delegate checkout and
51805184 other e-commerce activities to payment service providers through an
51815185 < a > iframe</ a > . This API supports payee-authorized cross-origin
5182- iframes through [[HTML]]'s [^iframe/allowpaymentrequest ^] attribute.
5186+ iframes through [[HTML]]'s [^iframe/allow ^] attribute.
51835187 </ p >
51845188 < p class ="Note ">
51855189 < a > Payment handlers</ a > have access to both the origin that hosts the
0 commit comments