Skip to content

Fix payment permissions policy violations in donate.html iframe #14

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
Copilot wants to merge 3 commits into
base: main
Choose a base branch
from
Draft

Fix payment permissions policy violations in donate.html iframe #14

Copilot wants to merge 3 commits into from

Conversation

Copy link
Contributor

Copilot AI commented Oct 5, 2025
edited
Loading

Problem

The betterplace.org donation iframe in docs/donate.html was triggering Payment Request API violations in the browser console:

[Violation] Permissions policy violation: payment is not allowed in this document.
[Violation] Potential permissions policy violation: payment is not allowed in this document.

These violations occurred because the embedded betterplace.org widget (NativePaymentMethodsProvider.tsx) attempts to use the Payment Request API for Apple Pay and Google Pay support, but the iframe lacked the necessary browser permission.

Root Cause

Modern browsers require explicit permission via the Permissions Policy to allow iframes to access the Payment Request API. Without the allow="payment" attribute on the iframe element, the browser blocks these API calls and logs violations to the console.

Solution

Added the allow="payment" attribute to the iframe element:

Before:

<iframe width="500px" height="500" 
        src="https://www.betterplace.org/de/donate/platform/projects/138560-3d-druck-und-elektronik-ag">
</iframe>

After:

<iframe width="500px" height="500" 
        src="https://www.betterplace.org/de/donate/platform/projects/138560-3d-druck-und-elektronik-ag" 
        allow="payment">
</iframe>

Impact

  • ✅ Eliminates all payment permission console violations
  • ✅ Enables Apple Pay and Google Pay functionality within the iframe
  • ✅ Follows browser security best practices
  • ✅ Minimal code change (single attribute addition)
  • ✅ Zero breaking changes

Documentation

Updated both README.md and docs/index.html per repository guidelines to document the fix and explain the technical rationale behind the allow="payment" attribute.

References

Original prompt

This section details on the original issue you should resolve

<issue_title>errors</issue_title>
<issue_description>````
NativePaymentMethodsProvider.tsx:31 [Violation] Permissions policy violation: payment is not allowed in this document.
l @ NativePaymentMethodsProvider.tsx:31
(anonymous) @ NativePaymentMethodsProvider.tsx:70
NativePaymentMethodsProvider.tsx:31 [Violation] Permissions policy violation: payment is not allowed in this document.
l @ NativePaymentMethodsProvider.tsx:31
(anonymous) @ NativePaymentMethodsProvider.tsx:71
5
[Violation] Potential permissions policy violation: payment is not allowed in this document.
[Violation] Potential permissions policy violation: payment is not allowed in this document.
[Violation] Potential permissions policy violation: payment is not allowed in this document.
[Violation] Potential permissions policy violation: payment is not allowed in this document.
[Violation] Potential permissions policy violation: payment is not allowed in this document.
[Violation] Potential permissions policy violation: payment is not allowed in this document.

in docs/donate.html

please investigate this bug.  NativePaymentMethodsProvider.tsx seems to be a remote loaded script

import NativePaymentMethodsContext from './NativePaymentMethodsContext'
import { PaymentMethods } from '@betterplace/api-graphql-types'
import { type ReactNode, useEffect, useState } from 'react'
import type { NativePaymentAvailable, NativePaymentMethod } from './types'

function getSupportedMethods(paymentMethod: NativePaymentMethod): [PaymentMethodData] {
if (paymentMethod === PaymentMethods.StripeApplePay) {
return [
{
supportedMethods: 'https://apple.com/apple-pay',
data: {
environment: 'TEST',
},
},
]
}
return [
{
supportedMethods: 'https://google.com/pay',
data: {
currencyCode: 'EUR',
countryCode: 'DE',
},
},
]
}

async function isPaymentMethodAvailable(paymentMethod: NativePaymentMethod): Promise {
if (typeof PaymentRequest !== 'undefined') {
try {
return await new PaymentRequest(getSupportedMethods(paymentMethod), {
total: {
label: 'test',
amount: {
currency: 'EUR',
value: '0.00',
},
},
}).canMakePayment()
} catch {}
}
try {
// browser does not support PaymentRequest
if (paymentMethod === PaymentMethods.StripeApplePay && typeof window.ApplePaySession !== 'undefined') {
return (window.ApplePaySession as { canMakePayments: () => Promise }).canMakePayments() ?? false
}
if (paymentMethod === PaymentMethods.StripeGooglePay && typeof window.google !== 'undefined') {
// assumes google sdk is loaded
return (
(window.google as { payments?: { isReadyToPay: () => Promise } }).payments?.isReadyToPay() ?? false
)
}
} catch (e) {
console.error(e)
}
return false
}

const initialAvailabilityState = {
[PaymentMethods.StripeApplePay]: false,
[PaymentMethods.StripeGooglePay]: false,
}

function NativePaymentMethodsProvider({ children }: { children?: ReactNode }) {
const [available, setAvailable] = useState(initialAvailabilityState)
const [loading, setLoading] = useState(true)

useEffect(() => {
setLoading(true)
Promise.allSettled([
isPaymentMethodAvailable(PaymentMethods.StripeApplePay),
isPaymentMethodAvailable(PaymentMethods.StripeGooglePay),
])
.then((results) => {
const [applePay, googlePay] = results
if (applePay.status === 'fulfilled') {
setAvailable((prevState) => ({ ...prevState, [PaymentMethods.StripeApplePay]: applePay.value }))
} else {
setAvailable((prevState) => ({ ...prevState, [PaymentMethods.StripeApplePay]: false }))
}
if (googlePay.status === 'fulfilled') {
setAvailable((prevState) => ({ ...prevState, [PaymentMethods.StripeGooglePay]: googlePay.value }))
} else {
setAvailable((prevState) => ({ ...prevState, [PaymentMethods.StripeGooglePay]: false }))
}
})
.catch((error) => {
console.error(error from isPaymentMethodAvailable:, error)
setAvailable(initialAvailabilityState)
})
.finally(() => {
setLoading(false)
})
}, [])

return (
<NativePaymentMethodsContext.Provider value={{ available, loading }}>
{children}
</NativePaymentMethodsContext.Provider>
)
}

export default NativePaymentMethodsProvider

is the code from that file</issue_description>

## Comments on the Issue (you are @copilot in this section)

<comments>
</comments>


</details>
Fixes 35services/html#13

<!-- START COPILOT CODING AGENT TIPS -->
---

💬 Share your feedback on Copilot coding agent for the chance to win a $200 gift card! Click [here](https://survey3.medallia.com/?EAHeSx-AP01bZqG0Ld9QLQ) to start the survey.

Copilot AI and others added 2 commits October 5, 2025 21:23
@falkorichter
Add payment permission to iframe to fix Payment Request API violations
5a44389 
Co-authored-by: falkorichter <50506+falkorichter@users.noreply.github.com>
@falkorichter
Add comprehensive documentation about payment permission fix
4557b13 
Co-authored-by: falkorichter <50506+falkorichter@users.noreply.github.com>
Copilot AI changed the title [WIP] errors Fix payment permissions policy violations in donate.html iframe Oct 5, 2025
Copilot AI requested a review from falkorichter October 5, 2025 21:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@falkorichter falkorichter Awaiting requested review from falkorichter

Assignees

@falkorichter falkorichter

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@falkorichter