paymentThe payment directive controls whether the Payment Request API (new PaymentRequest(...).show()) may present the browser's payment UI. Its default allowlist is self, and delegation matters for commerce sites that embed payment frames.
`payment=*` allows all origins, `payment=(self)` the document's own origin, `payment=()` blocks it entirely, and `payment=(self "https://checkout.example.com")` allows only the own origin plus the named one. For a payment provider's iframe to show the payment sheet, the parent must delegate with `<iframe allow="payment">`; without it, PaymentRequest.show() inside the frame fails.
When the policy denies it, the Promise returned by PaymentRequest.show() rejects with a SecurityError or NotAllowedError. show() must be called within a user gesture, which is a separate requirement from the policy. Payment and financial flows are vulnerable to clickjacking and origin confusion, so keep the delegated origins on a strict trust list. It replaces the payment feature of the legacy Feature-Policy header.
Permissions-Policy: payment=(self "https://checkout.example.com")