5

I have apple pay for web working when the the button is in the top level document. Unfortunately when opened inside an iframe, it throws the following error:

Trying to call an ApplePaySession API from a document with an different security origin than its top-level frame.
Martin Costello
  • 9,672
  • 5
  • 60
  • 72
nabinchha
  • 51
  • 1
  • 5

2 Answers2

4

The ApplePaySession object is created as being associated with a certain domain which is associated with the request. When the merchant validation occurs, the merchant session you receive is associated with the URL associated with the domain that you posted when the merchant session was validated. If the top-level frame's domain does not match the one associated with your merchant session then the request will fail as is happening for you.

I would imagine this is to prevent injected frames by malicious scripts attempting to trick the user into paying for goods and services associated with the top-level domain when the merchant session is actually associated with the malicious script.

You may be able to get things to work by having the code in your frame validate the merchant session against the domain associated with the page you know you're going to place the frame in, but this isn't a scenario I've tried.

Updated 12/01/2017

As mentioned in comments below this post, use of Apple Pay with frames is not supported.

Martin Costello
  • 9,672
  • 5
  • 60
  • 72
  • 3
    Nope. Safari will check where the click event originates, and will only work for top-level frames. I've tried several different ways, but iframes (even with HTTPS) does NOT work. – Shane Stillwell Jan 12 '17 at 01:19
1

Would a Multi-Domain SSL certificate not suffice? The single certificate can identify multiple domains that your business manages. Does the Apple Pay process not allow for this type of cert?

JoeFlash
  • 231
  • 3
  • 3
  • This does not provide an answer to the question. Once you have sufficient [reputation](http://stackoverflow.com/help/whats-reputation) you will be able to [comment on any post](http://stackoverflow.com/help/privileges/comment); instead, [provide answers that don't require clarification from the asker](http://meta.stackexchange.com/questions/214173/why-do-i-need-50-reputation-to-comment-what-can-i-do-instead). - [From Review](/review/low-quality-posts/14195797) – Or Duan Nov 05 '16 at 04:22
  • @OrDuan it sounds like a question but it is half answer like – Drew Nov 05 '16 at 04:33
  • I have since discovered that the Apple Pay method requires the same domain, port, and protocol (https) for the site and the payment process. Therefore the Multi-domain SSL certificate would not be an option. Sorry. – JoeFlash Mar 09 '17 at 17:02