PaymentRequest should throw if not in top context.

third_party/WebKit/Source/modules/payments/PaymentRequest.cpp

Index: third_party/WebKit/Source/modules/payments/PaymentRequest.cpp
diff --git a/third_party/WebKit/Source/modules/payments/PaymentRequest.cpp b/third_party/WebKit/Source/modules/payments/PaymentRequest.cpp
index 77c01005b8f9a30f8e63f05567013cc64196e55b..c0693450dc6b7841cd43fd2ea6d62480ae1d6b70 100644
--- a/third_party/WebKit/Source/modules/payments/PaymentRequest.cpp
+++ b/third_party/WebKit/Source/modules/payments/PaymentRequest.cpp
@@ -301,13 +301,16 @@ PaymentRequest::PaymentRequest(ScriptState* scriptState, const Vector<String>& s
     , m_options(options)
     , m_clientBinding(this)
 {
-    // TODO(rouslan): Also check for a top-level browsing context.
-    // https://github.com/w3c/browser-payment-api/issues/2
     if (!scriptState->getExecutionContext()->isSecureContext()) {
         exceptionState.throwSecurityError("Must be in a secure context");
         return;
     }
 
+    if (scriptState->domWindow() != scriptState->domWindow()->top()) {

[Marijn Kruisselbrink, 2016/06/01 00:19:25]

I believe this check is more typically written as
scriptState->domWindow()->frame()->isMainFrame()

[please use gerrit instead, 2016/06/01 00:42:29]

Done.

+        exceptionState.throwSecurityError("Must be in a top-level browsing context");
+        return;
+    }
+
     if (supportedMethods.isEmpty()) {
         exceptionState.throwTypeError("Must specify at least one payment method identifier");
         return;