FedCM within Iframe and User interaction requirements

[jagadeeshaby]

Are there any specific user interaction requirement defined to request for third party sign-in permissions or using FedCM? Like in RSA we have 2 requirements a) Embedded Iframe interaction b) top level user interaction

[npm1]

No user interaction requirements. For iframe, requires permissions policy.

[jagadeeshaby]

No user interaction requirements. For iframe, requires permissions policy.

this doesn't sound right to provide access to top level cookies without any user interactions within the iframe. are we sure on that? if so may be for RSA as well we should evaluate why we enforcing such requirements.

How different is it from asking permission for microphone or notification from iframe where we have requirement of making sure iframe is visible and interactive?

[npm1]

this doesn't sound right to provide access to top level cookies without any user interactions within the iframe. are we sure on that? if so may be for RSA as well we should evaluate why we enforcing such requirements.

First of all, that's not what FedCM does at all. Secondly, even though there are no user interaction requirements to invoke the API, for a user that hasn't used FedCM before, it still requires the user to engage with the FedCM UI in order for federated login to proceed. I can't speak for the requirements for RSA but it is a pretty different ultra generic UI, which is probably not great to show to users.

How different is it from asking permission for microphone or notification from iframe where we have requirement of making sure iframe is visible and interactive?

I'm also not super familiar with the requirements for these. For FedCM though, often the iframe is just a sandbox for the top-level so it does not really matter if it is visible/interactive, though if there were concerns with this we could revisit. I will say though, these are also very different so I don't see this as a good argument either.