search

it-ony / payment-request

Feedback for the W3C Web Payments Browser API https://www.w3.org/TR/payment-request/
1 stars 0 forks source link

Failed to construct 'PaymentRequest': Must be in a secure context #12

Open it-ony opened 7 years ago

it-ony commented 7 years ago

I know that the request payment API requires a secure context. Running it on live, I can see at least 3 different users having the problem with Failed to construct 'PaymentRequest': Must be in a secure context, where the raygun report that I have in front of me shows, that they're.

The report lists the following details.

URL: https://checkout.spreadshirt.com/#/spreadshirt/2 User-agent: Mozilla/5.0 (Linux; Android 7.0; SM-G950U Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.125 Mobile Safari/537.36 Host: "checkout.spreadshirt.com"

All browsers Chrome 59.0.3071.125 on Android 7.0. And as the URL shows, it's a secure context with a valid certificate.

The stacktrace is 

at o.requestPaymentData line 104, column 18221 (https://checkout.spreadshirt.com/Public/Checkout2/build/2.42.0/checkout/Checkout.js:104)
at o._commitSelectedPaymentMethod line 104, column 17621 (https://checkout.spreadshirt.com/Public/Checkout2/build/2.42.0/checkout/Checkout.js:104)
at o.set line 91, column 20462 (https://checkout.spreadshirt.com/Public/Checkout2/build/2.42.0/checkout/Checkout.js:91)
at o.triggerBinding line 91, column 10048 (https://checkout.spreadshirt.com/Public/Checkout2/build/2.42.0/checkout/Checkout.js:91)
at o._callback line 91, column 8228 (https://checkout.spreadshirt.com/Public/Checkout2/build/2.42.0/checkout/Checkout.js:91)
at o.trigger line 91, column 2832 (https://checkout.spreadshirt.com/Public/Checkout2/build/2.42.0/checkout/Checkout.js:91)
at o.trigger line 91, column 1382 (https://checkout.spreadshirt.com/Public/Checkout2/build/2.42.0/checkout/Checkout.js:91)
at o.set line 91, column 20645 (https://checkout.spreadshirt.com/Public/Checkout2/build/2.42.0/checkout/Checkout.js:91)
at o._revCallback line 91, column 7812 (https://checkout.spreadshirt.com/Public/Checkout2/build/2.42.0/checkout/Checkout.js:91)
at o.trigger line 91, column 2832 (https://checkout.spreadshirt.com/Public/Checkout2/build/2.42.0/checkout/Checkout.js:91)

where basically script p=new PaymentRequest(d,h) is executed.

rsolomakhin commented 7 years ago

Is your API being used from an iframe? In that case, the top-level URL must also be HTTPS.

it-ony commented 7 years ago

I checked a few of the error entries in raygun. Might be caused by running within an iframe where the top-level context was not served via https.

Why is the secure context within the frame not enough to have access to the request payment api?

rsolomakhin commented 7 years ago

See framed documents examples in secure context specification. If the top-level frame is not https, then everything it embeds is considered insecure. I believe the attack vector for non-secure top-level context is to replace what iframes it embeds via a man-in-the-middle attack.