Hello,
Unless I'm missing something, the linked "specification" (Issue #694 <http://github.com/w3c-fedid/FedCM/issues/694>) for FedCM Conditional Mediation is too vague for a security review. Please provide a clear spec that consolidates the feature's behavior, specifically addressing: 1. Trust & Verification: Are the attributes used to fill inputs (e.g., email) considered verified by the IdP? If so, how does the browser and RP verify them (e.g., claims check, origin match) to ensure they can be trusted (potentially replacing site-level verification)? 2. IdP Calls & Timing: When are calls made to the IdP? Does the FedCM exchange complete before or after the autofill suggestion is displayed? 3. Data Communication: How is the verified data communicated back to the website (e.g., Promise resolve, HTMLInputElement value update)? I see there was already some prototyping back in April? crrev.com/c/6393877 Thanks, Paris (Security Reviewer) On Thursday, November 13, 2025 at 1:02:26 AM UTC+1 Chromestatus wrote: > *Contact emails* > [email protected], [email protected] > > *Explainer* > https://github.com/w3c-fedid/FedCM/issues/694 > > *Specification* > https://github.com/w3c-fedid/FedCM/issues/694 > > *Summary* > By supporting conditional mediation from the Credential Management API for > FedCM, we can enhance autofill capabilities with identity attributes > sourced from identity providers via a FedCM conditional request. > > *Blink component* > Blink>Identity>FedCM > <https://issues.chromium.org/issues?q=customfield1222907:%22Blink%3EIdentity%3EFedCM%22> > > *Web Feature ID* > fedcm <https://webstatus.dev/features/fedcm> > > *Motivation* > Input fields configured with autocomplete='webauthn' currently support > Passkey's conditional mediation. Because users may also create accounts > using federated credentials, exploring the augmentation of credential > autofill with federated accounts presents an opportunity to mitigate > account duplication. > > *Initial public proposal* > https://github.com/w3c-fedid/FedCM/issues/694 > > *Requires code in //chrome?* > True > > *Tracking bug* > https://crbug.com/410533051 > > *Estimated milestones* > > No milestones specified > > > *Link to entry on the Chrome Platform Status* > https://chromestatus.com/feature/6471145475538944?gate=5701923141058560 > > This intent message was generated by Chrome Platform Status > <https://chromestatus.com>. > -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/db2ec5fc-195f-49c4-bfa6-e139305e0f9cn%40chromium.org.
