LGTM3

On Wednesday, November 20, 2024 at 7:22:09 AM UTC-8 Yoav Weiss wrote:

> LGTM2
>
> On Wednesday, November 20, 2024 at 3:23:26 AM UTC+1 Domenic Denicola wrote:
>
>> LGTM1.
>>
>> Note that "consensus in the WG" and "stage 2" are not terribly meaningful 
>> signals for the API owners. (Or at least, for me, when trying to fulfill my 
>> API owner duties.) We need to judge whether the specification proposed 
>> meets the requirements of the Blink process 
>> <https://www.chromium.org/blink/launching-features/#new-feature-prepare-to-ship>,
>>  
>> which includes features like: is sufficiently detailed that a second 
>> implementation could implement; does not have any outstanding significant 
>> feedback or open issues; has received sufficient review; etc. In this 
>> particular case, until recently there was an outstanding negative review 
>> from a Gecko representative, so I wanted to delay LGTMing until that was 
>> cleared (which now it is).
>>
>> Hopefully this perspective is helpful for future feature work, and I'm 
>> glad to hear the WG is working on streamlining the process to make this 
>> smoother for you all.
>>
>> On Friday, November 15, 2024 at 12:11:28 AM UTC+9 Yi Gu wrote:
>>
>>> Hi Chris,
>>>
>>> Similar to the other I2S 
>>> <https://groups.google.com/a/chromium.org/g/blink-dev/c/4arGqVW6V_Y?e=48417069>,
>>>  
>>> our team is working with the FedID Working Group for standard work. At TPAC 
>>> the proposals got the approval 
>>> <https://github.com/w3c-fedid/active-mode/issues/2#issuecomment-2379788096> 
>>> to 
>>> advance to stage 2 
>>> <https://github.com/w3c-fedid/Administration/blob/main/proposals-CG-WG.md#stage-2-formalization>.
>>>  Since 
>>> then we brought the spec PRs to the WG calls a couple of times and people 
>>> are generally aligned. Since the WG is newly formed this year, the chairs 
>>> and members are collaborating to streamline procedures such as merging spec 
>>> PRs and we are in the middle of the process.
>>>
>>> Yi
>>>
>>>
>>>
>>> On Wed, Nov 13, 2024 at 11:27 AM Chris Harrelson <chris...@chromium.org> 
>>> wrote:
>>>
>>>>
>>>>
>>>> On Thu, Nov 7, 2024 at 2:37 PM Zachary Tan <tanzach...@chromium.org> 
>>>> wrote:
>>>>
>>>>> Contact emails
>>>>>
>>>>> y...@chromium.org, tanzach...@chromium.org, cbiesin...@chromium.org
>>>>>
>>>>> Explainer
>>>>>
>>>>> https://github.com/w3c-fedid/active-mode
>>>>>
>>>>> Specification
>>>>>
>>>>> Spec PR for the Mode API: https://github.com/w3c-fedid/FedCM/pull/660
>>>>>
>>>>> Spec PR for the Use Another Account API: 
>>>>> https://github.com/w3c-fedid/FedCM/pull/678
>>>>>
>>>>
>>>> These spec PRs are still open, is there something 
>>>> blocking finishing and landing them?
>>>>  
>>>>
>>>>> Summary
>>>>>
>>>>> We intend to ship two new extensions for FedCM to address two issue 
>>>>> that were collectively identified as CR blockers 
>>>>> <https://github.com/w3c-fedid/FedCM/wiki/Status-of-FPWD%E2%80%90identified-Issues>
>>>>>  by 
>>>>> the FedID WG: “A not-yet logged in IDP has no route to success” 
>>>>> <https://github.com/w3c-fedid/active-mode/issues/2> and “Allow 
>>>>> signing in to additional account(s) 
>>>>> <https://github.com/w3c-fedid/FedCM/issues/511>”.
>>>>>
>>>>> To address this issue, we intend to introduce the following extensions 
>>>>> to FedCM:
>>>>>
>>>>> - Mode: The “active” mode allows websites to call FedCM inside a 
>>>>> button click (e.g. clicking on a “Sign-in to IdP” button), which requires 
>>>>> FedCM to guarantee it will always respond with a visible user interface 
>>>>> (as 
>>>>> opposed to in “passive” mode, which doesn’t show any UI when users are 
>>>>> logged out). So, calling the FedCM API in “active mode” takes users to 
>>>>> login to the Identity Provider (IdP) when users are logged-out. Also, 
>>>>> because the active mode is called within an explicit user gesture, the UI 
>>>>> is also more prominent (e.g. centered and modal) compared to the UI from 
>>>>> the passive mode (which doesn’t require a user gesture requirement and 
>>>>> can 
>>>>> be called on page load).
>>>>>
>>>>> - Use Other Account: With this extension, an IdP can allow users to 
>>>>> sign in to other accounts.
>>>>>
>>>>> In addition, the APIs are solving two related CR blockers 
>>>>> <https://github.com/w3c-fedid/FedCM/wiki/Status-of-FPWD%E2%80%90identified-Issues>
>>>>>  identified 
>>>>> <https://lists.w3.org/Archives/Public/public-fedid-wg/2024Jul/0006.html> 
>>>>> by 
>>>>> the FedID WG.
>>>>>
>>>>> Feedback from Origin Trial:
>>>>>
>>>>> We ran the Origin Trial 
>>>>> <https://developer.chrome.com/origintrials/#/view_trial/2288391560657633281>
>>>>>  with 
>>>>> 30+ registrants. The feedback we got was positive.
>>>>>
>>>>> From the extension’s perspective, this proposal is sufficient 
>>>>> <https://github.com/w3c-fedid/active-mode/issues/2#issuecomment-2341644914>
>>>>>  to assist the users who are not signed in to their IdP when FedCM 
>>>>> extension is invoked. We also renamed the extension from “button” mode to 
>>>>> “active” mode to untie from certain UI affordances which was well 
>>>>> received 
>>>>> <https://github.com/w3c-fedid/FedCM/pull/660#issuecomment-2414525421> by 
>>>>> partners as well.
>>>>>
>>>>> From UX’s perspective, we have been iterating on the Chrome 
>>>>> implementation based on feedback to address potential usability issues 
>>>>> and 
>>>>> provide users better context about their login.
>>>>>
>>>>> Blink component
>>>>>
>>>>> Blink>Identity>FedCM 
>>>>> <https://bugs.chromium.org/p/chromium/issues/list?q=component:Blink%3EIdentity%3EFedCM>
>>>>>
>>>>> Search tags
>>>>>
>>>>> fedcm <https://chromestatus.com/features#tags:fedcm>
>>>>>
>>>>> TAG review
>>>>>
>>>>> https://github.com/w3ctag/design-reviews/issues/935
>>>>>
>>>>> TAG review status
>>>>>
>>>>> Pending
>>>>>
>>>>> Chromium Trial Name
>>>>>
>>>>> FedCmButtonMode, FedCmUseOtherAccount
>>>>>
>>>>> Origin Trial documentation link
>>>>>
>>>>>
>>>>> https://developers.google.com/privacy-sandbox/blog/fedcm-chrome-125-updates#button-mode-api
>>>>>
>>>>> WebFeature UseCounter name
>>>>>
>>>>> kFedCmButtonMode, kFedCmUseOtherAccount
>>>>>
>>>>> Risks
>>>>> Interoperability and Compatibility
>>>>>
>>>>> Gecko: Not filing a standards position request for small additions at 
>>>>> the explicit request from Firefox (they prefer PRs). Positive on the 
>>>>> “active” mode based on TPAC discussions and GitHub issues 
>>>>> <https://github.com/w3c-fedid/active-mode/issues/2#issuecomment-2341644914>
>>>>> . 
>>>>>
>>>>> WebKit: No signal on the particular FedCM extensions. Positive 
>>>>> <https://github.com/WebKit/standards-positions/issues/309#issuecomment-2008324563>
>>>>>  on 
>>>>> the initial FedCM API. Standards position requests for FedCM extensions 
>>>>> have been merged 
>>>>> <https://github.com/WebKit/standards-positions/issues/309> so not 
>>>>> filing a new one.
>>>>>
>>>>> Web developers: Positive <https://github.com/fedidcg/FedCM/issues/442> 
>>>>> These 
>>>>> features are being developed to address existing feedback for the FedCM 
>>>>> API.
>>>>>
>>>>> Other signals: N/A
>>>>>
>>>>> Activation
>>>>> Similar to the FedCM API, we deliberately leave the bulk of the work 
>>>>> to the IdP to ensure that minimal RP change is needed. 
>>>>>
>>>>> This feature, specifically, is one that can be currently controlled by 
>>>>> JS SDKs, so we expect activation to have a similar profile as FedCM: 
>>>>> immediately enabled to websites (without redeployment) by IdPs making use 
>>>>> of it (by redeploying their JS SDKs).
>>>>>
>>>>> Security
>>>>>
>>>>> The active mode shares all of the security properties from the passive 
>>>>> mode. e.g. honoring CSP, CORS, using security headers, not asking users 
>>>>> to 
>>>>> type in the browser UI etc.
>>>>>
>>>>> It’s worth noting that the pop-up window has the same web platform 
>>>>> properties as what one would get with 
>>>>> window.open(url,””,”popup,noopener,noreferrer”)) that loads the 
>>>>> login_url. 
>>>>> There's no communication between the website and this pop-up is allowed 
>>>>> (e.g. no postMessage, no window.opener).
>>>>>
>>>>> WebView application risks
>>>>>
>>>>> Does this intent deprecate or change behavior of existing APIs, such 
>>>>> that it has potentially high risk for Android WebView-based applications?
>>>>>
>>>>> None
>>>>>
>>>>> Debuggability
>>>>>
>>>>> Same as FedCM in general – console messages in devtools and general JS 
>>>>> debugging. e.g. we show messages when transient activation is missing 
>>>>> when 
>>>>> invoking an active mode, or when a passive flow is terminated in favor of 
>>>>> an active flow etc.
>>>>>
>>>>> Will this feature be supported on all six Blink platforms (Windows, 
>>>>> Mac, Linux, ChromeOS, Android, and Android WebView)?
>>>>>
>>>>> No, FedCM API is not available in WebView
>>>>>
>>>>> Is this feature fully tested by web-platform-tests 
>>>>> <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md>
>>>>> ?
>>>>>
>>>>> Yes 
>>>>> <https://wpt.fyi/results/fedcm/fedcm-button-and-other-account?label=master&label=experimental&aligned&q=fedcm%2Ffedcm-button-and-other-account%2F>
>>>>>
>>>>> Flag name on chrome://flags
>>>>>
>>>>> FedCmButtonMode, FedCmUseOtherAccount
>>>>>
>>>>> Finch feature name
>>>>>
>>>>> FedCmButtonMode, FedCmUseOtherAccount
>>>>>
>>>>> Requires code in //chrome?
>>>>>
>>>>> True
>>>>>
>>>>> Tracking bug
>>>>>
>>>>> https://crbug.com/1490588, https://crbug.com/40939658
>>>>>
>>>>> Launch bug
>>>>>
>>>>> https://launch.corp.google.com/launch/4348674
>>>>>
>>>>> Sample links
>>>>>
>>>>> https://fedcm-button.glitch.me
>>>>>
>>>>> Estimated milestones
>>>>>
>>>>> Shipping on desktop
>>>>>
>>>>> 132
>>>>>
>>>>> Origin trial desktop first
>>>>>
>>>>> 125
>>>>>
>>>>> Origin trial desktop last
>>>>>
>>>>> 133
>>>>>
>>>>> Origin trial extension 1 end milestone
>>>>>
>>>>> 130
>>>>>
>>>>> Origin trial extension 2 end milestone
>>>>>
>>>>> 133
>>>>>
>>>>> DevTrial on desktop
>>>>>
>>>>> 124
>>>>>
>>>>> Shipping on Android
>>>>>
>>>>> 132
>>>>>
>>>>> Origin trial Android first
>>>>>
>>>>> 128
>>>>>
>>>>> Origin trial Android last
>>>>>
>>>>> 133
>>>>>
>>>>> DevTrial on Android
>>>>>
>>>>> 125
>>>>>
>>>>>
>>>>> Anticipated spec changes
>>>>>
>>>>> Open questions about a feature may be a source of future web compat or 
>>>>> interop issues. Please list open issues (e.g. links to known github 
>>>>> issues 
>>>>> in the project for the feature specification) whose resolution may 
>>>>> introduce web compat/interop risk (e.g., changing to naming or structure 
>>>>> of 
>>>>> the API in a non-backward-compatible way).
>>>>>
>>>>> None
>>>>>
>>>>> Link to entry on the Chrome Platform Status
>>>>>
>>>>> https://chromestatus.com/feature/4689551782313984?gate=4942283999019008
>>>>>
>>>>> Links to previous Intent discussions
>>>>>
>>>>> Intent to Prototype: 
>>>>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CACh2XCPzJ1beiSbsmQqvu9x24zmf6LkGuup%3DgPVyXEx%2Bux9%3Dyg%40mail.gmail.com
>>>>>
>>>>> Intent to Experiment: 
>>>>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/1745ebe7-6c98-49c7-9d98-94b25d39b409n%40chromium.org
>>>>>
>>>>> Intent to Extend Experiment 1: 
>>>>> https://groups.google.com/a/chromium.org/g/blink-dev/c/bQqXXv2S9q0/m/yHvhuFL3AQAJ
>>>>> Intent to Extend Experiment 2: 
>>>>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CACh2XCMPQ9s2hUR2UYuTTkRDra0qfjxBXA0bOme2baQGbPE6NA%40mail.gmail.com
>>>>>
>>>>> -- 
>>>>> You received this message because you are subscribed to the Google 
>>>>> Groups "blink-dev" group.
>>>>> To unsubscribe from this group and stop receiving emails from it, send 
>>>>> an email to blink-dev+unsubscr...@chromium.org.
>>>>> To view this discussion visit 
>>>>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAK9HhFkgmbC_UG8G5yYguB609UZY%3DV66qrJrVor3PdStbadY6g%40mail.gmail.com
>>>>>  
>>>>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAK9HhFkgmbC_UG8G5yYguB609UZY%3DV66qrJrVor3PdStbadY6g%40mail.gmail.com?utm_medium=email&utm_source=footer>
>>>>> .
>>>>>
>>>> -- 
>>>>
>>> You received this message because you are subscribed to the Google 
>>>> Groups "web-identity-core" group.
>>>> To unsubscribe from this group and stop receiving emails from it, send 
>>>> an email to web-identity-core+unsubscr...@google.com.
>>>> To view this discussion visit 
>>>> https://groups.google.com/a/google.com/d/msgid/web-identity-core/CAOMQ%2Bw90Jj7RBzmjrrQFD274KthUpLLQ5u_XxvOxYHECzquxQQ%40mail.gmail.com
>>>>  
>>>> <https://groups.google.com/a/google.com/d/msgid/web-identity-core/CAOMQ%2Bw90Jj7RBzmjrrQFD274KthUpLLQ5u_XxvOxYHECzquxQQ%40mail.gmail.com?utm_medium=email&utm_source=footer>
>>>> .
>>>> For more options, visit https://groups.google.com/a/google.com/d/optout
>>>> .
>>>>
>>>> -- 
>>>> You received this message because you are subscribed to the Google 
>>>> Groups "web-identity-xfn" group.
>>>> To unsubscribe from this group and stop receiving emails from it, send 
>>>> an email to web-identity-xfn+unsubscr...@google.com.
>>>> To view this discussion visit 
>>>> https://groups.google.com/a/google.com/d/msgid/web-identity-xfn/CAOMQ%2Bw90Jj7RBzmjrrQFD274KthUpLLQ5u_XxvOxYHECzquxQQ%40mail.gmail.com
>>>>  
>>>> <https://groups.google.com/a/google.com/d/msgid/web-identity-xfn/CAOMQ%2Bw90Jj7RBzmjrrQFD274KthUpLLQ5u_XxvOxYHECzquxQQ%40mail.gmail.com?utm_medium=email&utm_source=footer>
>>>> .
>>>> For more options, visit https://groups.google.com/a/google.com/d/optout
>>>> .
>>>>
>>>

-- 
You received this message because you are subscribed to the Google Groups 
"blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to blink-dev+unsubscr...@chromium.org.
To view this discussion visit 
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/84191201-1786-4b66-9732-40f04c6101f1n%40chromium.org.

Reply via email to