The FedCM <https://developers.google.com/privacy-sandbox/3pcd/fedcm> code has previously enforced that an Identity Provider (IDP)’s configURL is listed in .well-known/web-identity under their eTLD+1 (e.g. https://google.com/.well-known/web-identity) so that the IDP can not encode RP data in the accounts endpoint URL.
However, sometimes the RP and IDP are under the same eTLD+1 in staging or testing setups. The staging IDP’s URL can not be listed in the well-known file because it can only contain one URL. At the same time, cookies can already be shared among hosts in the same eTLD+1 with the Domain attribute, so this check has no impact on privacy for this case. We have therefore changed Chrome to skip the well-known check if the RP and IDP are in the same eTLD+1. The change has been approved by the Chrome Web Platform security and privacy teams and will ship in Chrome 122. One example where this would help is https://github.com/GoogleChromeLabs/privacy-sandbox-dev-support/issues/189 – the issue has been closed because an existing flag has been deemed sufficient after a bug fix, but with this change no flag is needed. -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAPTJ0XGtu88LK7UzWPw1gyNCnZaZhdovdeqzu4uay1vvpNp%3DnQ%40mail.gmail.com.
