Capability delegation means allowing a frame to relinquish its ability to call a restricted API and transfer the ability to another (sub)frame it trusts. If an app wants to delegate its ability to call a restricted JS capability (e.g. popups, fullscreen, etc) to a known+trusted third-party frame, the app would utilize a Capability Delegation API to "transfer" the ability to the target frame in a time-constrained manner (unlike static mechanisms like <iframe allow> attributes).
Many merchant websites host their online store on their own domain but outsource the payment collection and processing infrastructure to a Payment Service Provider (PSP) to comply with security and regulatory complexities around card payments. This is workflow is implemented as a “pay” button inside the top (merchant) frame where it can blend better with the rest of the merchant’s website, and payment request code inside a cross-origin iframe from the PSP. The Payment Request API used by the PSP code is gated by transient user activation (to prevent malicious attempts like unattended or repeated payment requests). Because the top (merchant) frame’s user interaction is not visible to the iframe, the PSP code needs some kind of a delegation in response to a click in the top frame to be able to initiate a payment processing. A website may want a third-party chat app in an iframe to be able to vibrate the phone on message receipt, even when the user is not active in the iframe. A web service that does not care about user location except for a “branch locator” functionality provided by a third-party map-provider app can delegate its own location access capability to the map iframe in a temporary manner. An authentication provider may wish to show a popup to complete the authentication flow before returning a token to the host site.
Specification being incubated in a Community Group
Status in Chromium
Consensus & Standardization
- No signal
Intent to Prototype urlIntent to Prototype thread
Last updated on 2021-11-15