Potential creation of (client_id, user) pairs through manipulated client_metadata links

[togamid]

1. the IdP returns links to itself which contain the client_id as a response to the client_metadata endpoint
2. the user clicks on that link to view the privacy policy
3. the browser sends a request to the IdP. As this request is a normal new tab, the browser sends the user cookie along
4. The IdP gains both the client_id and the user cookie in one request without the explicit authorization of the user

As this attack needs user interaction, it isn't that critical. However, it could be easily avoided by requiring the RP to provide links to its own privacy policy and terms of service instead of routing that information through the IdP

[cbiesinger]

Many IDPs provide a JS SDK to RPs, so when FedCM is used through such an SDK the same attack works even when the links are provided in the JS call.

I personally think that with the user interaction requirement this is not very problematic, especially since you can already window.open() that URL (I guess that does only work with the SDK or otherwise RP/IDP collusion)