FedCM request settings & CORS
- Past
- Confirmed
- Breakout Sessions
- Past
- Confirmed
- Breakout Sessions
Meeting
Recently, we have come to the conclusion that FedCM should use CORS for the identity assertion endpoint. Other requests remain in question, like for example, the accounts endpoint have unique:
- Security constraints: like the response not being consumable by any script unless the user selects some browser UI
- Privacy requirements: like not being able to expose the RP to the IDP under any circumstance, which makes CORS an unsuitable primitive for this kind of request
Recently, Google has put together a proposal for finalizing the (security) properties of the account endpoints request, which involves interpreting the request as being "initiated" from the /.well-known
file that directs the browser to fetch it (the accounts endpoint). Today, in practice that would make the accounts endpoint request "same-origin" with the /.well-known
that initiated it, because FedCM requires that these requests be mutually same-origin.
We've reached some general agreement on this approach, but would like to discuss i with stakeholders including Fetch editors (@annevk), and also resolve outstanding discussion about how exactly cookies/credentials should be treated with this request.
Agenda
Chairs:
Dominic Farolino
Description:
Recently, we have come to the conclusion that FedCM should use CORS for the identity assertion endpoint. Other requests remain in question, like for example, the accounts endpoint have unique:
- Security constraints: like the response not being consumable by any script unless the user selects some browser UI
- Privacy requirements: like not being able to expose the RP to the IDP under any circumstance, which makes CORS an unsuitable primitive for this kind of request
Recently, Google has put together a proposal for finalizing the (security) properties of the account endpoints request, which involves interpreting the request as being "initiated" from the /.well-known
file that directs the browser to fetch it (the accounts endpoint). Today, in practice that would make the accounts endpoint request "same-origin" with the /.well-known
that initiated it, because FedCM requires that these requests be mutually same-origin.
We've reached some general agreement on this approach, but would like to discuss i with stakeholders including Fetch editors (@annevk), and also resolve outstanding discussion about how exactly cookies/credentials should be treated with this request.
Goal(s):
Resolve the topic of CORS & accounts endpoint requests
Agenda:
Discuss https://docs.google.com/document/d/1CpP9JAuqWi4yivOWQcarIqEyQzVcIxDdc8NA3HMw56I/edit, and the associated email threads that preceded it.
Materials:
Track(s):
- identity
Export options
Personal Links
Please log in to export this event with all the information you have access to.
Public Links
The following links do not contain any sensitive information and can be shared publicly.