Contact emails [email protected]
Explainer https://github.com/w3c-fedid/FedCM/pull/828 Specification https://github.com/w3c-fedid/FedCM/pull/823 Summary FedCM today requires the well-known file at https://<registrable-domain>/.well-known/web-identity (the apex). This blocks deployments where: - the apex cannot host files (apex domains can't use CNAME, breaking modern CDN/cloud onboarding), - the apex and the auth subdomain are owned by different teams, or - a white-label IDP is CNAME'd onto a customer subdomain and has no control over the customer apex. Proposal (per PR #823): Chromium should fetch the well-known file from https://web-identity.<registrable-domain>/.well-known/web-identity first, and fall back to the existing apex URL if the subdomain fetch fails (DNS/TLS/HTTP error, malformed JSON, or provider_urls length > 1). The fallback runs in parallel with the config fetch; request shape (opaque origin, credentials: omit, no-referrer, Sec-Fetch-Dest: webidentity) is unchanged. The same-site skipWellKnown shortcut is preserved. Why it's safe: The label is fixed (web-identity.), so the IDP cannot encode RP identity in the discovery URL — the existing anti-fingerprinting guarantee holds. Blink component Blink>Identity>FedCM Web Feature ID fedcm Motivation https://github.com/w3c-fedid/FedCM/issues/809 Initial public proposal No information provided Goals for experimentation None Requires code in //chrome? False Tracking bug https://issues.chromium.org/510015140 Estimated milestones No milestones specified Link to entry on the Chrome Platform Status https://chromestatus.com/feature/6319248273178624?gate=5104947470401536 This intent message was generated by Chrome Platform Status. -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/69facd27.050a0220.e03d3.00f8.GAE%40google.com.
