PaymentRequest should throw if not in top context.

third_party/WebKit/Source/modules/payments/PaymentRequest.cpp

Index: third_party/WebKit/Source/modules/payments/PaymentRequest.cpp
diff --git a/third_party/WebKit/Source/modules/payments/PaymentRequest.cpp b/third_party/WebKit/Source/modules/payments/PaymentRequest.cpp
index 77c01005b8f9a30f8e63f05567013cc64196e55b..49ab6bb0cfdf109ef4ecff3aff69c5b059a47e40 100644
--- a/third_party/WebKit/Source/modules/payments/PaymentRequest.cpp
+++ b/third_party/WebKit/Source/modules/payments/PaymentRequest.cpp
@@ -301,13 +301,16 @@ PaymentRequest::PaymentRequest(ScriptState* scriptState, const Vector<String>& s
     , m_options(options)
     , m_clientBinding(this)
 {
-    // TODO(rouslan): Also check for a top-level browsing context.
-    // https://github.com/w3c/browser-payment-api/issues/2
     if (!scriptState->getExecutionContext()->isSecureContext()) {
         exceptionState.throwSecurityError("Must be in a secure context");
         return;
     }
 
+    if (!scriptState->domWindow()->frame() || !scriptState->domWindow()->frame()->isMainFrame()) {
+        exceptionState.throwSecurityError("Must be in a top-level browsing context");
+        return;
+    }
+
     if (supportedMethods.isEmpty()) {
         exceptionState.throwTypeError("Must specify at least one payment method identifier");
         return;