Information

FedCM request settings & CORS
  • Past
  • Confirmed
  • Breakout Sessions

Meeting

Event details

Date:
Coordinated Universal Time
Status:
Confirmed
Location:
Ukulele
Participants:
Brian Campbell, Tim Cappalli, Wei Ding, Dominic Farolino, Yi Gu, Enrico Morisi, Theresa O'Connor, Simone Onofri, Hiroyuki Sano, Wendy Seltzer, Anne van Kesteren, Lei Zhao
Big meeting:
W3C Breakouts Day 2024 (Calendar)

Recently, we have come to the conclusion that FedCM should use CORS for the identity assertion endpoint. Other requests remain in question, like for example, the accounts endpoint have unique:

  • Security constraints: like the response not being consumable by any script unless the user selects some browser UI
  • Privacy requirements: like not being able to expose the RP to the IDP under any circumstance, which makes CORS an unsuitable primitive for this kind of request

Recently, Google has put together a proposal for finalizing the (security) properties of the account endpoints request, which involves interpreting the request as being "initiated" from the /.well-known file that directs the browser to fetch it (the accounts endpoint). Today, in practice that would make the accounts endpoint request "same-origin" with the /.well-known that initiated it, because FedCM requires that these requests be mutually same-origin.

We've reached some general agreement on this approach, but would like to discuss i with stakeholders including Fetch editors (@annevk), and also resolve outstanding discussion about how exactly cookies/credentials should be treated with this request.

Agenda

Chairs:
Dominic Farolino

Description:
Recently, we have come to the conclusion that FedCM should use CORS for the identity assertion endpoint. Other requests remain in question, like for example, the accounts endpoint have unique:

  • Security constraints: like the response not being consumable by any script unless the user selects some browser UI
  • Privacy requirements: like not being able to expose the RP to the IDP under any circumstance, which makes CORS an unsuitable primitive for this kind of request

Recently, Google has put together a proposal for finalizing the (security) properties of the account endpoints request, which involves interpreting the request as being "initiated" from the /.well-known file that directs the browser to fetch it (the accounts endpoint). Today, in practice that would make the accounts endpoint request "same-origin" with the /.well-known that initiated it, because FedCM requires that these requests be mutually same-origin.

We've reached some general agreement on this approach, but would like to discuss i with stakeholders including Fetch editors (@annevk), and also resolve outstanding discussion about how exactly cookies/credentials should be treated with this request.

Goal(s):
Resolve the topic of CORS & accounts endpoint requests

Agenda:
Discuss https://docs.google.com/document/d/1CpP9JAuqWi4yivOWQcarIqEyQzVcIxDdc8NA3HMw56I/edit, and the associated email threads that preceded it.

Materials:

Track(s):

  • identity

Export options

Personal Links

Please log in to export this event with all the information you have access to.

Public Links

The following links do not contain any sensitive information and can be shared publicly.

Feedback

Report feedback and issues on GitHub.