w3c-fedid / FedCM

A privacy preserving identity exchange Web API
https://w3c-fedid.github.io/FedCM/
Other
377 stars 73 forks source link

Processing model unclear #260

Open annevk opened 2 years ago

annevk commented 2 years ago

Throughout the specification it's very much unclear where certain state in algorithms is pulled from. E.g., https://fedidcg.github.io/FedCM/#fetch-the-manifest does not make it clear it takes a provider as argument (and what the type of that argument is). It also doesn't seem to explain at all where the CSP is coming from that it performs a check with. That would require at least an environment or some such.

npm1 commented 2 years ago

The algorithms are much improved right now in terms of passing state into the various methods. Regarding the CSP check @cbiesinger do you know what is the method being used? Right now the check links to the spec itself

cbiesinger commented 2 years ago

not sure what you mean with method? We check against the "connect" policy if that helps. (I guess we should link to https://w3c.github.io/webappsec-csp/#should-block-request maybe?)