Oops, forgot to point to the spec. Step 15 of spec (https://w3c.github.io/payment-handler/#dfn-open-window-algorithm) says:

If the origin of newContext is not the same as the service worker client origin associated with the payment handler, then:
1. Resolve promise with null.
2. Abort these steps.

Sorry for the spam. Repro step3 seems unnecessary and rather makes it no-repro. So please skip Repro step3. 

mathp, could you please take a look, or help get this assigned to the right person?

This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it.

If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Redirection is allowed intentionally in the opened window, if the page is redirected out of the scope of the payment handler (service worker), then the service worker loses control of that window.

Reply comment #1:
From what I test, openWindow (window_client) do resolves to null according to the reproducing steps.

If this is intentional, then this might be just a SameSite cookie bug.

Thanks for reporting, could you help create new bug about the SameSite cookie bug to keep this one separate? Closing this bug as 'WontFix'.

gogerald@, do you think this is a different bug than issue 830808 (because it has different logic)?

I can not find the bug: crbug.com/830808. Could you cc me on that bug?

Oh, okay. I don't have permission to CC :D Leave it, I will just add this bug to that bug.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot