diff --git a/index.html b/index.html index d8d32d50..3dcaa0c2 100644 --- a/index.html +++ b/index.html @@ -617,13 +617,11 @@

act as follows:

    -
  1. - If the current settings object's If the current settings object's responsible document is not - allowed to use the feature indicated by attribute name - allowpaymentrequest, then throw a - "SecurityError" DOMException. + allowed to use the "payment" + feature, then throw a "SecurityError" + DOMException.
  2. Let serializedMethodData be an empty list.
    3. @@ -3475,12 +3473,49 @@

    PaymentRequest and iframe elements

    -

    +

    To indicate that a cross-origin iframe is allowed to invoke the payment request API, the allowpaymentrequest attribute can be - specified on the iframe element. + specified on the iframe element. See for details of how allowpaymentrequest + and Feature Policy interact. +

    + +
    +

    + Feature Policy integration +

    +

    + This specification defines a policy-controlled feature identified by + the string "payment". Its default allowlist is + 'self'.

    +
    +

    + A document’s feature + policy determines whether any content in that document is allowed + to construct PaymentRequest instances. If disabled in any + document, no content in the document will be allowed to use + the PaymentRequest constructor (trying to create an instance + will throw). +

    +

    + The allowpaymentrequest attribute of the HTML iframe + element affects the container policy for any + document nested in that iframe. Unless overridden by the + allow + attribute, setting allowpaymentrequest on an iframe is + equivalent to <iframe allow="fullscreen *">, as + described in Feature Policy + §iframe-allowpaymentrequest-attribute. +

    +