Relax the login status requirement from same-origin to same-site

w3c-fedid / FedCM

A privacy preserving identity exchange Web API

https://w3c-fedid.github.io/FedCM/

Other

375 stars 72 forks source link

Relax the login status requirement from same-origin to same-site #538

Closed cbiesinger closed 2 months ago

cbiesinger commented 9 months ago

Some IDPs have their login on one subdomain but the FedCM endpoint on a different subdomain, and this change lets them set the login status on the correct origin.

Bug: #537

Preview | Diff

npm1 commented 9 months ago

Maybe edit your description so that is actually links the issue?

cbiesinger commented 9 months ago

Maybe edit your description so that is actually links the issue?

Could've sworn I already did that... anyway, done now.

cbiesinger commented 9 months ago

@bvandersloot-mozilla , does this look reasonable to you?

npm1 commented 2 months ago

Overall this is reasonable due to the scoping of cookies to site anyway.

Thanks for the review! Will merge this PR once the repo is migrated to the WG.

I wonder if we should consider using a permission policy rather than a strict ancestor check though.

It would not be very useful for the IdP to be allowed to change its login status if it does not have cookie access, hence why we did not consider adding permissions policy.