-
Notifications
You must be signed in to change notification settings - Fork 74
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow setting IDP login status from same-site subresources #537
Comments
cbiesinger
added a commit
to cbiesinger/WebID
that referenced
this issue
Jan 18, 2024
Some IDPs have their login on one subdomain but the FedCM endpoint on a different subdomain, and this change lets them set the login status on the correct origin. Bug: w3c-fedid#537
npm1
pushed a commit
that referenced
this issue
Aug 16, 2024
Some IDPs have their login on one subdomain but the FedCM endpoint on a different subdomain, and this change lets them set the login status on the correct origin. Bug: #537
This is fixed by the merged pull request mentioned above (#538) |
npm1
pushed a commit
that referenced
this issue
Sep 18, 2024
Some IDPs have their login on one subdomain but the FedCM endpoint on a different subdomain, and this change lets them set the login status on the correct origin. Bug: #537
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Background
The login status API currently only allow setting the login status on toplevel loads or for subresources who are same-origin with all their ancestors, both when using the JavaScript API and when using the HTTP header.
However, some IDPs want to use one origin for their FedCM endpoints but log in users on a different origin. With the same-origin restriction, this would require a toplevel redirect or opening a popup, which leads to disruptive user experiences especially if the current login flow does not depend on a top-level navigation.
Proposal
We are proposing to relax the same-origin restriction to a same-site (that is, same eTLD+1) restriction. For example:
The login status headers in this example will currently be ignored, but in the proposal would be processed.
Subsequent FedCM calls to
https://fedcm.idp.example/fedcm.json
would then be allowed:Because the initial login state for an IDP in Chrome is “unknown” and not “logged-out”, this example would actually work initially even in the absence of login status setters. However, if the user is not logged in to the IDP during the very first time FedCM is used with that IDP, we would mark the status as logged-out and require a valid login status header or JS call to update this status. Therefore, it is important that IDPs send a header that Chrome considers valid.
Identity Providers should consider making the subresource request with CORS and credentials included so that their endpoint can verify the correct login state.
Security & Privacy
The same-origin restriction was originally introduced so that an RP can not ‘artificially’ set an IDP’s login status by just making an invisible fetch() request or using an invisible iframe and thus allow potentially-tracking FedCM requests every time.
However, relaxing the restriction to a same-site restriction does not impact the privacy properties, because communication within a site with shared identifiers is already possible (using domain cookies) and is not considered a tracking vector.
User agents should process the login header under the same circumstances as a Set-Cookie header, i.e. as long as the network isolation key is not transient. Note that partitioned cookies use the site (registrable domain) as the partition key, which matches the same-site model in this proposal.
The text was updated successfully, but these errors were encountered: