Integrate with Feature Policy (#822)

marcoscaceres · web-flow · commit 5966e821b49c · 2019-01-29T12:27:09.000+11:00
diff --git a/index.html b/index.html
@@ -617,13 +617,11 @@ <h2>
           act as follows:
         </p>
         <ol data-link-for="PaymentDetailsBase" class="algorithm">
-          <li data-tests=
-          "allowpaymentrequest/active-document-cross-origin.https.sub.html, allowpaymentrequest/active-document-same-origin.https.html, allowpaymentrequest/removing-allowpaymentrequest.https.sub.html, allowpaymentrequest/setting-allowpaymentrequest-timing.https.sub.html, allowpaymentrequest/setting-allowpaymentrequest.https.sub.html">
-          If the <a>current settings object</a>'s <a data-cite=
+          <li>If the <a>current settings object</a>'s <a data-cite=
           "HTML#responsible-document">responsible document</a> is not
-          <a>allowed to use</a> the feature indicated by attribute name
-          <a>allowpaymentrequest</a>, then <a>throw</a> a
-          "<a>SecurityError</a>" <a>DOMException</a>.
+          <a>allowed to use</a> the "<a data-lt="payment-feature">payment</a>"
+          feature, then <a>throw</a> a "<a>SecurityError</a>"
+          <a>DOMException</a>.
           </li>
           <li>Let <var>serializedMethodData</var> be an empty list.
           </li>
@@ -3475,12 +3473,49 @@ <h2>
       <h2>
         <code>PaymentRequest</code> and <code>iframe</code> elements
       </h2>
-      <p data-tests=
-      "allowpaymentrequest/active-document-cross-origin.https.sub.html, allowpaymentrequest/active-document-same-origin.https.html, allowpaymentrequest/allowpaymentrequest-attribute-cross-origin-bc-containers.https.html, allowpaymentrequest/allowpaymentrequest-attribute-same-origin-bc-containers.https.html, allowpaymentrequest/basic.https.html, allowpaymentrequest/no-attribute-cross-origin-bc-containers.https.html, allowpaymentrequest/no-attribute-same-origin-bc-containers.https.html, allowpaymentrequest/removing-allowpaymentrequest.https.sub.html, allowpaymentrequest/setting-allowpaymentrequest-timing.https.sub.html, allowpaymentrequest/setting-allowpaymentrequest.https.sub.html">
+      <p>
         To indicate that a cross-origin <a>iframe</a> is allowed to invoke the
         payment request API, the <a>allowpaymentrequest</a> attribute can be
-        specified on the <a>iframe</a> element.
+        specified on the <a>iframe</a> element. See <a href=
+        "#feature-policy"></a> for details of how <a>allowpaymentrequest</a>
+        and <a data-cite="feature-policy">Feature Policy</a> interact.
+      </p>
+    </section>
+    <section id="feature-policy">
+      <h2>
+        Feature Policy integration
+      </h2>
+      <p>
+        This specification defines a policy-controlled feature identified by
+        the string "<code><dfn data-lt="payment-feature" data-nodefault=
+        "">payment</dfn></code>". Its <a href=
+        "feature-policy#default-allowlist">default allowlist</a> is
+        '<code>self</code>'.
       </p>
+      <div class="note">
+        <p>
+          A <a data-cite="html#concept-document">document</a>’s <a data-cite=
+          "html/multipage/dom.html#concept-document-feature-policy">feature
+          policy</a> determines whether any content in that document is allowed
+          to construct <a>PaymentRequest</a> instances. If disabled in any
+          document, no content in the document will be <a>allowed to use</a>
+          the <a>PaymentRequest</a> constructor (trying to create an instance
+          will throw).
+        </p>
+        <p>
+          The <a>allowpaymentrequest</a> attribute of the HTML <a>iframe</a>
+          element affects the <a data-cite=
+          "feature-policy#container-policy">container policy</a> for any
+          document nested in that iframe. Unless overridden by the
+          <code><a data-cite=
+          "html/multipage/iframe-embed-object.html#attr-iframe-allow">allow</a></code>
+          attribute, setting <a>allowpaymentrequest</a> on an iframe is
+          equivalent to <code>&lt;iframe allow="fullscreen *"&gt;</code>, as
+          described in <a href=
+          "feature-policy#iframe-allowpaymentrequest-attribute">Feature Policy
+          §iframe-allowpaymentrequest-attribute</a>.
+        </p>
+      </div>
     </section>
     <section>
       <h2>

-Original file line number
+Diff line change
           act as follows:
         p>
         <ol data-link-for="PaymentDetailsBase" class="algorithm">
 -          <li data-tests=
 -          "allowpaymentrequest/active-document-cross-origin.https.sub.html, allowpaymentrequest/active-document-same-origin.https.html, allowpaymentrequest/removing-allowpaymentrequest.https.sub.html, allowpaymentrequest/setting-allowpaymentrequest-timing.https.sub.html, allowpaymentrequest/setting-allowpaymentrequest.https.sub.html">
 -          If the <a>current settings objecta>'s <a data-cite=
 +          <li>If the <a>current settings objecta>'s <a data-cite=
           "HTML#responsible-document">responsible documenta> is not
 -          <a>allowed to usea> the feature indicated by attribute name
 -          <a>allowpaymentrequesta>, then <a>throwa> a
 -          "<a>SecurityErrora>" <a>DOMExceptiona>.
 +          <a>allowed to usea> the "<a data-lt="payment-feature">paymenta>"
 +          feature, then <a>throwa> a "<a>SecurityErrora>"
 +          <a>DOMExceptiona>.
           li>
           <li>Let <var>serializedMethodDatavar> be an empty list.
           li>
       <h2>
         <code>PaymentRequestcode> and <code>iframecode> elements
       h2>
 -      <p data-tests=
 -      "allowpaymentrequest/active-document-cross-origin.https.sub.html, allowpaymentrequest/active-document-same-origin.https.html, allowpaymentrequest/allowpaymentrequest-attribute-cross-origin-bc-containers.https.html, allowpaymentrequest/allowpaymentrequest-attribute-same-origin-bc-containers.https.html, allowpaymentrequest/basic.https.html, allowpaymentrequest/no-attribute-cross-origin-bc-containers.https.html, allowpaymentrequest/no-attribute-same-origin-bc-containers.https.html, allowpaymentrequest/removing-allowpaymentrequest.https.sub.html, allowpaymentrequest/setting-allowpaymentrequest-timing.https.sub.html, allowpaymentrequest/setting-allowpaymentrequest.https.sub.html">
 +      <p>
         To indicate that a cross-origin <a>iframea> is allowed to invoke the
         payment request API, the <a>allowpaymentrequesta> attribute can be
 -        specified on the <a>iframea> element.
 +        specified on the <a>iframea> element. See <a href=
 +        "#feature-policy">a> for details of how <a>allowpaymentrequesta>
 +        and <a data-cite="feature-policy">Feature Policya> interact.
 +      p>
 +    section>
 +    <section id="feature-policy">
 +      <h2>
 +        Feature Policy integration
 +      h2>
 +      <p>
 +        This specification defines a policy-controlled feature identified by
 +        the string "<code><dfn data-lt="payment-feature" data-nodefault=
 +        "">paymentdfn>code>". Its <a href=
 +        "feature-policy#default-allowlist">default allowlista> is
 +        '<code>selfcode>'.
       p>
 +      <div class="note">
 +        <p>
 +          A <a data-cite="html#concept-document">documenta>’s <a data-cite=
 +          "html/multipage/dom.html#concept-document-feature-policy">feature
 +          policya> determines whether any content in that document is allowed
 +          to construct <a>PaymentRequesta> instances. If disabled in any
 +          document, no content in the document will be <a>allowed to usea>
 +          the <a>PaymentRequesta> constructor (trying to create an instance
 +          will throw).
 +        p>
 +        <p>
 +          The <a>allowpaymentrequesta> attribute of the HTML <a>iframea>
 +          element affects the <a data-cite=
 +          "feature-policy#container-policy">container policya> for any
 +          document nested in that iframe. Unless overridden by the
 +          <code><a data-cite=
 +          "html/multipage/iframe-embed-object.html#attr-iframe-allow">allowa>code>
 +          attribute, setting <a>allowpaymentrequesta> on an iframe is
 +          equivalent to <code><iframe allow="fullscreen *">code>, as
 +          described in <a href=
 +          "feature-policy#iframe-allowpaymentrequest-attribute">Feature Policy
 +          §iframe-allowpaymentrequest-attributea>.
 +        p>
 +      div>
     section>
     <section>
       <h2>