[Payment Request] Restrict API use to secure, same-origin frames
authorkeith_miller@apple.com <keith_miller@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 26 Oct 2017 23:28:31 +0000 (23:28 +0000)
committerkeith_miller@apple.com <keith_miller@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 26 Oct 2017 23:28:31 +0000 (23:28 +0000)
commit30f3e5161665ab6246d5d2408b224771bca9597c
tree4a54cd0fe2e4199740dbb0f8227bfdefb4314acd
parentd922205f38eae4b936d7a9c32e673bdddbb427e5
[Payment Request] Restrict API use to secure, same-origin frames
https://bugs.webkit.org/show_bug.cgi?id=178887

Patch by Andy Estes <aestes@apple.com> on 2017-10-26
Reviewed by Tim Horton.

Reuse the access checks from Apple Pay to restrict PaymentRequest API usage to secure frames
in the same origin as the main frame.

Progresses active-document-cross-origin.https.sub.html and
active-document-same-origin.https.html from web-platform-tests. Regresses basic.https.html
since the allowpaymentrequest <iframe> attribute is not yet implemented.

* Modules/applepay/ApplePaySession.cpp:
(WebCore::ApplePaySession::create):
(WebCore::ApplePaySession::supportsVersion):
(WebCore::ApplePaySession::canMakePayments):
(WebCore::ApplePaySession::canMakePaymentsWithActiveCard):
(WebCore::ApplePaySession::openPaymentSetup):
(WebCore::isSecure): Deleted.
(WebCore::canCallApplePaySessionAPIs): Deleted.
* Modules/applepay/PaymentSession.cpp: Added.
(WebCore::isSecure):
(WebCore::PaymentSession::canCreateSession):
* Modules/applepay/PaymentSession.h:
* Modules/paymentrequest/PaymentHandler.cpp:
(WebCore::PaymentHandler::canCreateSession):
* Modules/paymentrequest/PaymentHandler.h:
* Modules/paymentrequest/PaymentRequest.cpp:
(WebCore::PaymentRequest::create):
* WebCore.xcodeproj/project.pbxproj:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@224062 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Source/WebCore/ChangeLog
Source/WebCore/platform/graphics/mac/MediaPlayerPrivateQTKit.mm