Skip to content

fix: add required sandbox and referrerpolicy attrs to coinbase iframe#2447

Merged
broody merged 1 commit intomainfrom
fix/coinbase-iframe-attrs
Feb 25, 2026
Merged

fix: add required sandbox and referrerpolicy attrs to coinbase iframe#2447
broody merged 1 commit intomainfrom
fix/coinbase-iframe-attrs

Conversation

@broody
Copy link
Contributor

@broody broody commented Feb 25, 2026

Adds the required sandbox="allow-scripts allow-same-origin" and referrerPolicy="no-referrer" attributes to the Coinbase payment iframe in the popup, as required by Coinbase's embed documentation.

@vercel
Copy link

vercel bot commented Feb 25, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
controller-example-next Ready Ready Preview Feb 25, 2026 10:07pm
keychain Ready Ready Preview Feb 25, 2026 10:07pm
keychain-storybook Ready Ready Preview Feb 25, 2026 10:07pm

Request Review

@broody broody force-pushed the fix/coinbase-iframe-attrs branch from 1efe447 to bda46db Compare February 25, 2026 22:00
github-advanced-security[bot]
github-advanced-security bot found potential problems Feb 25, 2026
View reviewed changes
@broody
feat: handle coinbase postMessage events, remove graphql polling from…
bae0693 
… popup

Replace GraphQL polling in the popup with Coinbase's native postMessage
events for real-time feedback. Add required iframe sandbox and
referrerPolicy attributes.

Events handled:
- load_success: hide loading spinner when Apple Pay button is ready
- load_error: show error with Coinbase's localized message
- commit_success: show 'processing' indicator after Apple Pay tap
- commit_error: show specific decline/error reasons
- cancel: notify user payment was cancelled
- polling_success: auto-close popup on confirmed transaction
- polling_error: show transaction failure details

The keychain-side hook still polls via GraphQL independently.
@broody broody force-pushed the fix/coinbase-iframe-attrs branch from bda46db to bae0693 Compare February 25, 2026 22:06
@broody broody merged commit aec6c60 into main Feb 25, 2026
12 checks passed
@broody broody deleted the fix/coinbase-iframe-attrs branch February 25, 2026 22:12
@claude
Copy link
Contributor

claude bot commented Feb 25, 2026
edited
Loading

Claude finished @broody's task —— View job

Analysis Complete

PR Summary:

  • Added required sandbox="allow-scripts allow-same-origin" and referrerPolicy="no-referrer" attributes to Coinbase iframe (Coinbase requirement)
  • Replaced GraphQL polling with postMessage event handling for status updates
  • Added visual feedback states (committed, completed, failed)
  • Implemented origin verification for postMessage security

Documentation Decision: NO UPDATES NEEDED

Reasoning:

  1. Iframe attributes: Adding sandbox and referrerPolicy attributes is a technical compliance requirement from Coinbase, not a developer-facing API change
  2. Polling → postMessage: This is an internal refactor changing how the popup component monitors payment status (from GraphQL polling to Coinbase event listeners)
  3. UI improvements: Enhanced status indicators ("Payment processing...", better error messages) are internal UX refinements
  4. No API changes: The integration point for developers remains unchanged - they still use the useCoinbase hook and existing purchase flows
  5. No new features: No new capabilities exposed to game developers
  6. Existing docs are accurate: The Coinbase Onramp documentation describes the high-level integration, user flow, and developer-facing hooks - all remain accurate

DEFAULT TO NO CHANGES applied: Per the documentation rules, internal refactors, security fixes, and implementation details do not require documentation updates unless they change how developers integrate or use the feature. This PR is purely an internal implementation improvement to meet Coinbase's technical requirements and improve the popup's real-time feedback mechanism.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@broody