search

w3c-fedid / FedCM

A privacy preserving identity exchange Web API
https://w3c-fedid.github.io/FedCM/
Other
383 stars 73 forks source link

IdP Registration API: should the browser reveal to the RP when no IdP has registered before? #605

Closed samuelgoto closed 3 months ago

samuelgoto commented 6 months ago

Currently, if no IdPs registered in the past, the browser reveals to the RP that fact, which could potentially be a breach of the user's privacy.

const credential = await navigator.credentials.get({
  identity: {
    providers: [{
      configURL: "any" // throws if no IdP has called IdentityProvider.register() ahead of time. Should it? 
    }]
  }
});

I'm not sure what the answer is, but I ran into this while testing this, so should be easily reproducible:

https://x.com/samuelgoto/status/1793776387356340357

cbiesinger commented 6 months ago

Looks like the code for that is here: https://source.chromium.org/chromium/chromium/src/+/main:content/browser/webid/federated_auth_request_impl.cc;l=694;drc=98f953c8a23d2008be9f7c8977b3c60d6fdfe53d

npm1 commented 5 months ago

That code implies to me that the rejection is being delayed...

npm1 commented 3 months ago

I checked and we do delay the rejection, as expected. Thus it is not the case that the browser reveals this information to the RP, as it is indistinguisable from the user closing the dialog once it shows up. Closing