PaymentRequest: Use [SecureContext] instead of manual check

Until now, we had to use IsSecureContext() to check whether an execution
context is a secure context manually. But we can use [SecureContext]
instead of the manual check now. After this change, all related APIs
including PaymentRequest will not be exposed in non-secure context.

Bug: none
Change-Id: Ie5b3fc6641e882cc2844595fea350b6adb3425db
Reviewed-on: https://chromium-review.googlesource.com/818594Reviewed-by: Rouslan Solomakhin <rouslan@chromium.org>
Commit-Queue: Jinho Bang <jinho.bang@samsung.com>
Cr-Commit-Position: refs/heads/master@{#548425}

chrome/android/javatests/src/org/chromium/chrome/browser/payments/PaymentRequestBlobUrlTest.java

@@ -33,7 +33,6 @@ public class PaymentRequestBlobUrlTest {
         mPaymentRequestTestRule.openPageAndClickNode("buy");
         mPaymentRequestTestRule.assertWaitForPageScaleFactorMatch(2);
         mPaymentRequestTestRule.expectResultContains(
-                new String[] {"SecurityError: Failed to construct 'PaymentRequest': "
-                        + "Must be in a secure context"});
+                new String[] {"PaymentRequest is not defined"});
     }
 }

chrome/android/javatests/src/org/chromium/chrome/browser/payments/PaymentRequestDataUrlTest.java

@@ -46,7 +46,6 @@ public class PaymentRequestDataUrlTest implements MainActivityStartCallback {
     public void test() throws InterruptedException, ExecutionException, TimeoutException {
         mPaymentRequestTestRule.openPageAndClickNode("buy");
         mPaymentRequestTestRule.expectResultContains(
-                new String[] {"SecurityError: Failed to construct 'PaymentRequest': "
-                        + "Must be in a secure context"});
+                new String[] {"PaymentRequest is not defined"});
     }
 }

chrome/browser/ui/views/payments/payment_request_data_url_browsertest.cc

@@ -24,12 +24,19 @@ IN_PROC_BROWSER_TEST_F(PaymentRequestDataUrlTest, SecurityError) {
       "'1.00'}}})).show(); } catch(e) { "
       "document.getElementById('result').innerHTML = e; }\">Data URL "
       "Test</button><div id='result'></div></body></html>");
+
+  // PaymentRequest should not be defined in non-secure context.
+  bool result = true;
+  ASSERT_TRUE(content::ExecuteScriptAndExtractBool(
+      GetActiveWebContents(),
+      "window.domAutomationController.send('PaymentRequest' in window);",
+      &result));
+  ASSERT_FALSE(result);
+
   ASSERT_TRUE(content::ExecuteScript(
       GetActiveWebContents(),
       "(function() { document.getElementById('buy').click(); })();"));
-  ExpectBodyContains(
-      {"SecurityError: Failed to construct 'PaymentRequest': Must be in a "
-       "secure context"});
+  ExpectBodyContains({"PaymentRequest is not defined"});
 }
 
 }  // namespace payments

third_party/WebKit/LayoutTests/external/wpt/payment-request/payment-request-insecure.http.html

 <!DOCTYPE html>
-<!-- Copyright © 2017 Chromium authors and World Wide Web Consortium, (Massachusetts Institute of Technology, ERCIM, Keio University, Beihang). -->
 <meta charset="utf-8">
 <title>Test for PaymentRequest Constructor (insecure)</title>
 <link rel="help" href="https://w3c.github.io/payment-request/#paymentrequest-interface">
@@ -8,6 +7,8 @@
 <script>
 test(() => {
   assert_false(isSecureContext);
-  assert_false("PaymentRequest" in window);
+  assert_false('PaymentRequest' in window);
+  assert_false('PaymentResponse' in window);
+  assert_false('PaymentRequestUpdateEvent' in window);
 }, "PaymentRequest constructor must not be exposed in insecure context");
 </script>

third_party/WebKit/Source/modules/payments/PaymentAddress.idl

@@ -2,22 +2,23 @@
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
-// https://w3c.github.io/browser-payment-api/#paymentaddress-interface
+// https://w3c.github.io/payment-request/#paymentaddress-interface
 
 [
     RuntimeEnabled=PaymentRequest,
+    SecureContext,
     Exposed=Window
 ] interface PaymentAddress {
     serializer = {attribute};
-    readonly attribute DOMString country;
-    readonly attribute FrozenArray<DOMString> addressLine;
-    readonly attribute DOMString region;
     readonly attribute DOMString city;
+    readonly attribute DOMString country;
     readonly attribute DOMString dependentLocality;
-    readonly attribute DOMString postalCode;
-    readonly attribute DOMString sortingCode;
     readonly attribute DOMString languageCode;
     readonly attribute DOMString organization;
-    readonly attribute DOMString recipient;
     readonly attribute DOMString phone;
+    readonly attribute DOMString postalCode;
+    readonly attribute DOMString recipient;
+    readonly attribute DOMString region;
+    readonly attribute DOMString sortingCode;
+    readonly attribute FrozenArray<DOMString> addressLine;
 };

third_party/WebKit/Source/modules/payments/PaymentRequest.cpp

@@ -1005,10 +1005,7 @@ PaymentRequest::PaymentRequest(ExecutionContext* execution_context,
           execution_context->GetTaskRunner(TaskType::kMiscPlatformAPI),
           this,
           &PaymentRequest::OnCompleteTimeout) {
-  if (!GetExecutionContext()->IsSecureContext()) {
-    exception_state.ThrowSecurityError("Must be in a secure context");
-    return;
-  }
+  DCHECK(GetExecutionContext()->IsSecureContext());
 
   if (!AllowedToUsePaymentRequest(GetFrame())) {
     exception_state.ThrowSecurityError(

third_party/WebKit/Source/modules/payments/PaymentRequest.idl

@@ -2,7 +2,7 @@
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
-// https://w3c.github.io/browser-payment-api/#paymentrequest-interface
+// https://w3c.github.io/payment-request/#paymentrequest-interface
 // http://crbug.com/587995
 
 [
@@ -10,6 +10,7 @@
     Constructor(sequence<PaymentMethodData> methodData, PaymentDetailsInit details, optional PaymentOptions options),
     ConstructorCallWith=ExecutionContext,
     RaisesException=Constructor,
+    SecureContext,
     Exposed=Window,
     ActiveScriptWrappable
 ] interface PaymentRequest : EventTarget {

third_party/WebKit/Source/modules/payments/PaymentRequestTest.cpp

@@ -14,19 +14,6 @@
 namespace blink {
 namespace {
 
-TEST(PaymentRequestTest, SecureContextRequired) {
-  V8TestingScope scope;
-  scope.GetDocument().SetSecurityOrigin(
-      SecurityOrigin::Create(KURL("http://www.example.com/")));
-
-  PaymentRequest::Create(
-      scope.GetExecutionContext(), BuildPaymentMethodDataForTest(),
-      BuildPaymentDetailsInitForTest(), scope.GetExceptionState());
-
-  EXPECT_TRUE(scope.GetExceptionState().HadException());
-  EXPECT_EQ(kSecurityError, scope.GetExceptionState().Code());
-}
-
 TEST(PaymentRequestTest, NoExceptionWithValidData) {
   V8TestingScope scope;
   MakePaymentRequestOriginSecure(scope.GetDocument());

third_party/WebKit/Source/modules/payments/PaymentResponse.idl

@@ -10,22 +10,23 @@ enum PaymentComplete {
     "unknown"
 };
 
-// https://w3c.github.io/browser-payment-api/#paymentresponse-interface
+// https://w3c.github.io/payment-request/#dom-paymentresponse
 
 [
     RuntimeEnabled=PaymentRequest,
+    SecureContext,
     Exposed=Window
 ] interface PaymentResponse {
     serializer = {attribute};
 
     readonly attribute DOMString requestId;
     readonly attribute DOMString methodName;
-    readonly attribute DOMString? payerName;
-    readonly attribute DOMString? payerEmail;
-    readonly attribute DOMString? payerPhone;
     [CallWith=ScriptState, RaisesException] readonly attribute object details;
     readonly attribute PaymentAddress? shippingAddress;
     readonly attribute DOMString? shippingOption;
+    readonly attribute DOMString? payerName;
+    readonly attribute DOMString? payerEmail;
+    readonly attribute DOMString? payerPhone;
 
     [CallWith=ScriptState] Promise<void> complete(optional PaymentComplete paymentResult = "unknown");
 };