-
Notifications
You must be signed in to change notification settings - Fork 74
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Relax the login status requirement from same-origin to same-site #538
Conversation
Maybe edit your description so that is actually links the issue? |
Some IDPs have their login on one subdomain but the FedCM endpoint on a different subdomain, and this change lets them set the login status on the correct origin. Bug: w3c-fedid#537
3dfa913
to
cfdc752
Compare
Could've sworn I already did that... anyway, done now. |
@bvandersloot-mozilla , does this look reasonable to you? |
<div algorithm="process the login status header"> | ||
1. Let |origin| be the response's [=response/URL=]'s [=/origin=]. | ||
1. Let |client| be the [=/request=]'s [=request/client=]. | ||
1. If the request's [=request/destination=] is not `"document"`: | ||
1. If |client| is null, return. | ||
1. If |origin| is not [=same origin=] with the [=/request=]'s | ||
1. If |origin| is not [=/same site=] with the [=/request=]'s |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
what is the significance of /
in the dfn syntax? I don't see any reference in the bikeshed docs.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
See https://speced.github.io/bikeshed/#autolink-inside -- it links to a dfn that has no for attribute (here, used to disambiguate what it links to)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Overall this is reasonable due to the scoping of cookies to site anyway.
I wonder if we should consider using a permission policy rather than a strict ancestor check though.
Thanks for the review! Will merge this PR once the repo is migrated to the WG.
It would not be very useful for the IdP to be allowed to change its login status if it does not have cookie access, hence why we did not consider adding permissions policy. |
SHA: 548e7b2 Reason: push, by npm1 Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Some IDPs have their login on one subdomain but the FedCM endpoint on a different subdomain, and this change lets them set the login status on the correct origin. Bug: #537
Some IDPs have their login on one subdomain but the FedCM endpoint on a different subdomain, and this change lets them set the login status on the correct origin.
Bug: #537
Preview | Diff