LGTM3 On Wednesday, November 20, 2024 at 7:22:09 AM UTC-8 Yoav Weiss wrote:
> LGTM2 > > On Wednesday, November 20, 2024 at 3:23:26 AM UTC+1 Domenic Denicola wrote: > >> LGTM1. >> >> Note that "consensus in the WG" and "stage 2" are not terribly meaningful >> signals for the API owners. (Or at least, for me, when trying to fulfill my >> API owner duties.) We need to judge whether the specification proposed >> meets the requirements of the Blink process >> <https://www.chromium.org/blink/launching-features/#new-feature-prepare-to-ship>, >> >> which includes features like: is sufficiently detailed that a second >> implementation could implement; does not have any outstanding significant >> feedback or open issues; has received sufficient review; etc. In this >> particular case, until recently there was an outstanding negative review >> from a Gecko representative, so I wanted to delay LGTMing until that was >> cleared (which now it is). >> >> Hopefully this perspective is helpful for future feature work, and I'm >> glad to hear the WG is working on streamlining the process to make this >> smoother for you all. >> >> On Friday, November 15, 2024 at 12:11:28 AM UTC+9 Yi Gu wrote: >> >>> Hi Chris, >>> >>> Similar to the other I2S >>> <https://groups.google.com/a/chromium.org/g/blink-dev/c/4arGqVW6V_Y?e=48417069>, >>> >>> our team is working with the FedID Working Group for standard work. At TPAC >>> the proposals got the approval >>> <https://github.com/w3c-fedid/active-mode/issues/2#issuecomment-2379788096> >>> to >>> advance to stage 2 >>> <https://github.com/w3c-fedid/Administration/blob/main/proposals-CG-WG.md#stage-2-formalization>. >>> Since >>> then we brought the spec PRs to the WG calls a couple of times and people >>> are generally aligned. Since the WG is newly formed this year, the chairs >>> and members are collaborating to streamline procedures such as merging spec >>> PRs and we are in the middle of the process. >>> >>> Yi >>> >>> >>> >>> On Wed, Nov 13, 2024 at 11:27 AM Chris Harrelson <chris...@chromium.org> >>> wrote: >>> >>>> >>>> >>>> On Thu, Nov 7, 2024 at 2:37 PM Zachary Tan <tanzach...@chromium.org> >>>> wrote: >>>> >>>>> Contact emails >>>>> >>>>> y...@chromium.org, tanzach...@chromium.org, cbiesin...@chromium.org >>>>> >>>>> Explainer >>>>> >>>>> https://github.com/w3c-fedid/active-mode >>>>> >>>>> Specification >>>>> >>>>> Spec PR for the Mode API: https://github.com/w3c-fedid/FedCM/pull/660 >>>>> >>>>> Spec PR for the Use Another Account API: >>>>> https://github.com/w3c-fedid/FedCM/pull/678 >>>>> >>>> >>>> These spec PRs are still open, is there something >>>> blocking finishing and landing them? >>>> >>>> >>>>> Summary >>>>> >>>>> We intend to ship two new extensions for FedCM to address two issue >>>>> that were collectively identified as CR blockers >>>>> <https://github.com/w3c-fedid/FedCM/wiki/Status-of-FPWD%E2%80%90identified-Issues> >>>>> by >>>>> the FedID WG: “A not-yet logged in IDP has no route to success” >>>>> <https://github.com/w3c-fedid/active-mode/issues/2> and “Allow >>>>> signing in to additional account(s) >>>>> <https://github.com/w3c-fedid/FedCM/issues/511>”. >>>>> >>>>> To address this issue, we intend to introduce the following extensions >>>>> to FedCM: >>>>> >>>>> - Mode: The “active” mode allows websites to call FedCM inside a >>>>> button click (e.g. clicking on a “Sign-in to IdP” button), which requires >>>>> FedCM to guarantee it will always respond with a visible user interface >>>>> (as >>>>> opposed to in “passive” mode, which doesn’t show any UI when users are >>>>> logged out). So, calling the FedCM API in “active mode” takes users to >>>>> login to the Identity Provider (IdP) when users are logged-out. Also, >>>>> because the active mode is called within an explicit user gesture, the UI >>>>> is also more prominent (e.g. centered and modal) compared to the UI from >>>>> the passive mode (which doesn’t require a user gesture requirement and >>>>> can >>>>> be called on page load). >>>>> >>>>> - Use Other Account: With this extension, an IdP can allow users to >>>>> sign in to other accounts. >>>>> >>>>> In addition, the APIs are solving two related CR blockers >>>>> <https://github.com/w3c-fedid/FedCM/wiki/Status-of-FPWD%E2%80%90identified-Issues> >>>>> identified >>>>> <https://lists.w3.org/Archives/Public/public-fedid-wg/2024Jul/0006.html> >>>>> by >>>>> the FedID WG. >>>>> >>>>> Feedback from Origin Trial: >>>>> >>>>> We ran the Origin Trial >>>>> <https://developer.chrome.com/origintrials/#/view_trial/2288391560657633281> >>>>> with >>>>> 30+ registrants. The feedback we got was positive. >>>>> >>>>> From the extension’s perspective, this proposal is sufficient >>>>> <https://github.com/w3c-fedid/active-mode/issues/2#issuecomment-2341644914> >>>>> to assist the users who are not signed in to their IdP when FedCM >>>>> extension is invoked. We also renamed the extension from “button” mode to >>>>> “active” mode to untie from certain UI affordances which was well >>>>> received >>>>> <https://github.com/w3c-fedid/FedCM/pull/660#issuecomment-2414525421> by >>>>> partners as well. >>>>> >>>>> From UX’s perspective, we have been iterating on the Chrome >>>>> implementation based on feedback to address potential usability issues >>>>> and >>>>> provide users better context about their login. >>>>> >>>>> Blink component >>>>> >>>>> Blink>Identity>FedCM >>>>> <https://bugs.chromium.org/p/chromium/issues/list?q=component:Blink%3EIdentity%3EFedCM> >>>>> >>>>> Search tags >>>>> >>>>> fedcm <https://chromestatus.com/features#tags:fedcm> >>>>> >>>>> TAG review >>>>> >>>>> https://github.com/w3ctag/design-reviews/issues/935 >>>>> >>>>> TAG review status >>>>> >>>>> Pending >>>>> >>>>> Chromium Trial Name >>>>> >>>>> FedCmButtonMode, FedCmUseOtherAccount >>>>> >>>>> Origin Trial documentation link >>>>> >>>>> >>>>> https://developers.google.com/privacy-sandbox/blog/fedcm-chrome-125-updates#button-mode-api >>>>> >>>>> WebFeature UseCounter name >>>>> >>>>> kFedCmButtonMode, kFedCmUseOtherAccount >>>>> >>>>> Risks >>>>> Interoperability and Compatibility >>>>> >>>>> Gecko: Not filing a standards position request for small additions at >>>>> the explicit request from Firefox (they prefer PRs). Positive on the >>>>> “active” mode based on TPAC discussions and GitHub issues >>>>> <https://github.com/w3c-fedid/active-mode/issues/2#issuecomment-2341644914> >>>>> . >>>>> >>>>> WebKit: No signal on the particular FedCM extensions. Positive >>>>> <https://github.com/WebKit/standards-positions/issues/309#issuecomment-2008324563> >>>>> on >>>>> the initial FedCM API. Standards position requests for FedCM extensions >>>>> have been merged >>>>> <https://github.com/WebKit/standards-positions/issues/309> so not >>>>> filing a new one. >>>>> >>>>> Web developers: Positive <https://github.com/fedidcg/FedCM/issues/442> >>>>> These >>>>> features are being developed to address existing feedback for the FedCM >>>>> API. >>>>> >>>>> Other signals: N/A >>>>> >>>>> Activation >>>>> Similar to the FedCM API, we deliberately leave the bulk of the work >>>>> to the IdP to ensure that minimal RP change is needed. >>>>> >>>>> This feature, specifically, is one that can be currently controlled by >>>>> JS SDKs, so we expect activation to have a similar profile as FedCM: >>>>> immediately enabled to websites (without redeployment) by IdPs making use >>>>> of it (by redeploying their JS SDKs). >>>>> >>>>> Security >>>>> >>>>> The active mode shares all of the security properties from the passive >>>>> mode. e.g. honoring CSP, CORS, using security headers, not asking users >>>>> to >>>>> type in the browser UI etc. >>>>> >>>>> It’s worth noting that the pop-up window has the same web platform >>>>> properties as what one would get with >>>>> window.open(url,””,”popup,noopener,noreferrer”)) that loads the >>>>> login_url. >>>>> There's no communication between the website and this pop-up is allowed >>>>> (e.g. no postMessage, no window.opener). >>>>> >>>>> WebView application risks >>>>> >>>>> Does this intent deprecate or change behavior of existing APIs, such >>>>> that it has potentially high risk for Android WebView-based applications? >>>>> >>>>> None >>>>> >>>>> Debuggability >>>>> >>>>> Same as FedCM in general – console messages in devtools and general JS >>>>> debugging. e.g. we show messages when transient activation is missing >>>>> when >>>>> invoking an active mode, or when a passive flow is terminated in favor of >>>>> an active flow etc. >>>>> >>>>> Will this feature be supported on all six Blink platforms (Windows, >>>>> Mac, Linux, ChromeOS, Android, and Android WebView)? >>>>> >>>>> No, FedCM API is not available in WebView >>>>> >>>>> Is this feature fully tested by web-platform-tests >>>>> <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md> >>>>> ? >>>>> >>>>> Yes >>>>> <https://wpt.fyi/results/fedcm/fedcm-button-and-other-account?label=master&label=experimental&aligned&q=fedcm%2Ffedcm-button-and-other-account%2F> >>>>> >>>>> Flag name on chrome://flags >>>>> >>>>> FedCmButtonMode, FedCmUseOtherAccount >>>>> >>>>> Finch feature name >>>>> >>>>> FedCmButtonMode, FedCmUseOtherAccount >>>>> >>>>> Requires code in //chrome? >>>>> >>>>> True >>>>> >>>>> Tracking bug >>>>> >>>>> https://crbug.com/1490588, https://crbug.com/40939658 >>>>> >>>>> Launch bug >>>>> >>>>> https://launch.corp.google.com/launch/4348674 >>>>> >>>>> Sample links >>>>> >>>>> https://fedcm-button.glitch.me >>>>> >>>>> Estimated milestones >>>>> >>>>> Shipping on desktop >>>>> >>>>> 132 >>>>> >>>>> Origin trial desktop first >>>>> >>>>> 125 >>>>> >>>>> Origin trial desktop last >>>>> >>>>> 133 >>>>> >>>>> Origin trial extension 1 end milestone >>>>> >>>>> 130 >>>>> >>>>> Origin trial extension 2 end milestone >>>>> >>>>> 133 >>>>> >>>>> DevTrial on desktop >>>>> >>>>> 124 >>>>> >>>>> Shipping on Android >>>>> >>>>> 132 >>>>> >>>>> Origin trial Android first >>>>> >>>>> 128 >>>>> >>>>> Origin trial Android last >>>>> >>>>> 133 >>>>> >>>>> DevTrial on Android >>>>> >>>>> 125 >>>>> >>>>> >>>>> Anticipated spec changes >>>>> >>>>> Open questions about a feature may be a source of future web compat or >>>>> interop issues. Please list open issues (e.g. links to known github >>>>> issues >>>>> in the project for the feature specification) whose resolution may >>>>> introduce web compat/interop risk (e.g., changing to naming or structure >>>>> of >>>>> the API in a non-backward-compatible way). >>>>> >>>>> None >>>>> >>>>> Link to entry on the Chrome Platform Status >>>>> >>>>> https://chromestatus.com/feature/4689551782313984?gate=4942283999019008 >>>>> >>>>> Links to previous Intent discussions >>>>> >>>>> Intent to Prototype: >>>>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CACh2XCPzJ1beiSbsmQqvu9x24zmf6LkGuup%3DgPVyXEx%2Bux9%3Dyg%40mail.gmail.com >>>>> >>>>> Intent to Experiment: >>>>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/1745ebe7-6c98-49c7-9d98-94b25d39b409n%40chromium.org >>>>> >>>>> Intent to Extend Experiment 1: >>>>> https://groups.google.com/a/chromium.org/g/blink-dev/c/bQqXXv2S9q0/m/yHvhuFL3AQAJ >>>>> Intent to Extend Experiment 2: >>>>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CACh2XCMPQ9s2hUR2UYuTTkRDra0qfjxBXA0bOme2baQGbPE6NA%40mail.gmail.com >>>>> >>>>> -- >>>>> You received this message because you are subscribed to the Google >>>>> Groups "blink-dev" group. >>>>> To unsubscribe from this group and stop receiving emails from it, send >>>>> an email to blink-dev+unsubscr...@chromium.org. >>>>> To view this discussion visit >>>>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAK9HhFkgmbC_UG8G5yYguB609UZY%3DV66qrJrVor3PdStbadY6g%40mail.gmail.com >>>>> >>>>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAK9HhFkgmbC_UG8G5yYguB609UZY%3DV66qrJrVor3PdStbadY6g%40mail.gmail.com?utm_medium=email&utm_source=footer> >>>>> . >>>>> >>>> -- >>>> >>> You received this message because you are subscribed to the Google >>>> Groups "web-identity-core" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to web-identity-core+unsubscr...@google.com. >>>> To view this discussion visit >>>> https://groups.google.com/a/google.com/d/msgid/web-identity-core/CAOMQ%2Bw90Jj7RBzmjrrQFD274KthUpLLQ5u_XxvOxYHECzquxQQ%40mail.gmail.com >>>> >>>> <https://groups.google.com/a/google.com/d/msgid/web-identity-core/CAOMQ%2Bw90Jj7RBzmjrrQFD274KthUpLLQ5u_XxvOxYHECzquxQQ%40mail.gmail.com?utm_medium=email&utm_source=footer> >>>> . >>>> For more options, visit https://groups.google.com/a/google.com/d/optout >>>> . >>>> >>>> -- >>>> You received this message because you are subscribed to the Google >>>> Groups "web-identity-xfn" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to web-identity-xfn+unsubscr...@google.com. >>>> To view this discussion visit >>>> https://groups.google.com/a/google.com/d/msgid/web-identity-xfn/CAOMQ%2Bw90Jj7RBzmjrrQFD274KthUpLLQ5u_XxvOxYHECzquxQQ%40mail.gmail.com >>>> >>>> <https://groups.google.com/a/google.com/d/msgid/web-identity-xfn/CAOMQ%2Bw90Jj7RBzmjrrQFD274KthUpLLQ5u_XxvOxYHECzquxQQ%40mail.gmail.com?utm_medium=email&utm_source=footer> >>>> . >>>> For more options, visit https://groups.google.com/a/google.com/d/optout >>>> . >>>> >>> -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/84191201-1786-4b66-9732-40f04c6101f1n%40chromium.org.
