Replace Sec-FedCM-CSRF with Sec-Fetch-Dest

w3c-fedid / FedCM

A privacy preserving identity exchange Web API

https://w3c-fedid.github.io/FedCM/

Other

375 stars 72 forks source link

Replace Sec-FedCM-CSRF with Sec-Fetch-Dest #353

Closed cbiesinger closed 2 years ago

cbiesinger commented 2 years ago

Instead of introducing a new header Sec-FedCM-CSRF, I propose that we instead use the existing Sec-Fetch-Dest header with a new value web-identity, matching the root manifest's filename (.well-known/web-identity, https://fedidcg.github.io/FedCM/#check-the-root-manifest)

@bvandersloot-mozilla fyi

annevk commented 2 years ago

I hope this is now considered resolved? (Though using "webidentity" sans hyphen.)

cbiesinger commented 2 years ago

Yes thanks! https://fedidcg.github.io/FedCM/ does set the destination to webidentity thanks to npm.