LGTM1
On 3/4/24 1:33 PM, Nicolás Peña wrote:
Contact emails
n...@chromium.org
Explainer
https://github.com/fedidcg/FedCM/issues/428
<https://github.com/fedidcg/FedCM/issues/428>
Specification
https://github.com/fedidcg/FedCM/pull/547
<https://github.com/fedidcg/FedCM/pull/547>
Summary
The fetches in the FedCM API are hard to reason about because of the
properties required of them. While there is ongoing discussion
regarding the accounts endpoint, there is broad consensus that the ID
assertion endpoint should use CORS. This aligns security properties of
this fetch more closely to other fetches in the web platform.
Blink component
Blink>Identity>FedCM
<https://g-issues.chromium.org/issues?q=status:open%20componentid:1456331&pli=1&authuser=0>
TAG review
Not requesting a TAG review. We have already had extensive discussions
with Fetch experts.
TAG review status
N/A
Risks
Interoperability and Compatibility
This is a backwards incompatible feature, but one that is warranted
due to consensus reached by our security reviewers as well as other
browser vendor engineers. We have a manageable list of IDPs that we
know are using the FedCM API and we have reached out to all IDPs that
are currently deploying FedCM to make sure that they won’t break with
this change.
Gecko: Positive based on TPAC discussions and
https://github.com/fedidcg/FedCM/issues/428
<https://github.com/fedidcg/FedCM/issues/428>. Not filing a standards
position request for small additions at the explicit request from
Firefox (they prefer PRs).
WebKit: Positive based on TPAC discussions and
https://github.com/fedidcg/FedCM/issues/428
<https://github.com/fedidcg/FedCM/issues/428>. Recently, standards
position requests for smaller FedCM features have been closed,
pointing to the (unresolved) main FedCM one in
https://github.com/WebKit/standards-positions/issues/309
<https://github.com/WebKit/standards-positions/issues/309>so not
filing one for this.
Web developers: No signals
Other signals:
Ergonomics
N/A
Activation
N/A
Security
By adding CORS, we add a check that the IDP explicitly agrees for the
browser to share the ID assertion response to the RP. In addition,
having this fetch align with most other credentialed fetches in the
browser means that any future protections are received by default, and
we do not have to special case this fetch.
WebView application risks
Does this intent deprecate or change behavior of existing APIs, such
that it has potentially high risk for Android WebView-based applications?
None
Debuggability
We surface errors when there is a network problem with the ID
assertion fetch. This will help developers understand when this
feature introduces a problem in their FedCM calls.
Will this feature be supported on all six Blink platforms (Windows,
Mac, Linux, ChromeOS, Android, and Android WebView)?
No. FedCM is not supported on Android WebView.
Is this feature fully tested by web-platform-tests
<https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md>?
https://wpt.fyi/results/credential-management/fedcm-identity-assertion-nocors.https.html?label=experimental&label=master&aligned
<https://wpt.fyi/results/credential-management/fedcm-identity-assertion-nocors.https.html?label=experimental&label=master&aligned>(will
pass on Chrome once we ship)
Flag name on chrome://flags
None
Finch feature name
FedCmIdAssertionCORS
Requires code in //chrome?
True (because FedCM API does)
Tracking bug
https://issues.chromium.org/issues/40284123
<https://issues.chromium.org/issues/40284123>
Estimated milestones
DevTrial on desktop
120
DevTrial on Android
120
We want to ship on M124
Anticipated spec changes
Open questions about a feature may be a source of future web compat or
interop issues. Please list open issues (e.g. links to known github
issues in the project for the feature specification) whose resolution
may introduce web compat/interop risk (e.g., changing to naming or
structure of the API in a non-backward-compatible way).
https://github.com/whatwg/fetch/issues/1637
Link to entry on the Chrome Platform Status
https://chromestatus.com/feature/5094763339710464
<https://chromestatus.com/feature/5094763339710464>
This intent message was generated by Chrome Platform Status
<https://chromestatus.com/>.
--
You received this message because you are subscribed to the Google
Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to blink-dev+unsubscr...@chromium.org.
To view this discussion on the web visit
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/1814484e-4a0c-4210-b936-29ead46f32c5n%40chromium.org
<https://groups.google.com/a/chromium.org/d/msgid/blink-dev/1814484e-4a0c-4210-b936-29ead46f32c5n%40chromium.org?utm_medium=email&utm_source=footer>.
--
You received this message because you are subscribed to the Google Groups
"blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to blink-dev+unsubscr...@chromium.org.
To view this discussion on the web visit
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/91c26d40-ccc9-4abe-bf97-38cd9e48f684%40chromium.org.
