-
Notifications
You must be signed in to change notification settings - Fork 22.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Technical review: Add content on FedCM Login Status API, Error API and isAutoSelected #31521
Technical review: Add content on FedCM Login Status API, Error API and isAutoSelected #31521
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks great!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good!
Thanks @npm1! We are close now. The only bits left now are a couple of clarifications/verifications:
|
Thanks again @npm1. I've gotten the last couple of fixes done before signing off tonight. Let me know if there is anything else you think this needs, or give me an LGTM, so we can get it put into editorial review tomorrow! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just a couple more comments but LGTM
| accounts_endpoint | `GET` | No | Yes | No | | ||
| client_metadata_endpoint | `GET` | Yes | No | Yes | | ||
| id_assertion_endpoint | `POST` | Yes | Yes | Yes | | ||
| Endpoint/resource | Method | Credentialed | Includes cookies | Includes {{httpheader("Origin")}} | |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry I missed that this table has 'credentialed' and 'includes cookies'. Those are the same thing? The Credentialed column is incorrect anyways so can we remove it?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
OK, done. I also changed the column header to "Credentialed (with cookies)" just in case some people understand one, and some understand the other.
|
||
## The `Sec-Fetch-Dest` HTTP header | ||
|
||
All requests sent from the browser via FedCM include a `{{httpheader("Sec-Fetch-Dest")}}: webidentity` header to prevent {{glossary("CSRF")}} attacks. All IdP endpoints must confirm this header is included. For example, the well-known file request would look like so: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We were discussing some issue with the team regarding this. In reality, while all endpoints have that Dest, it is only really important to check it on the credentialed (eg accounts and id assertion) endpoints. Perhaps we can update this to note that instead of saying all endpoints?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Makes sense - done! I also included the webidentity
value on the actual Sec-Fetch-Dest
header ref page, as I noticed it was missing.
Great stuff, thanks @npm1. I'll get this passed into the editorial review stage (I'll create a new PR based on the same branch to contain that, so it doesn't become too busy). |
Note: This technical review is now completed and approved. For the follow-on editorial review, see #31658.
Description
Chrome 120 adds several updates to the FedCM API (see https://chromestatus.com/feature/5177628008382464 and https://chromestatus.com/feature/5384360374566912).
This PR adds/modifies:
Navigator.login
NavigatorStatus
NavigatorStatus.setStatus()
Set-Login
HTTP headerget()
call rejects.IdentityCredential.isAutoSelected
property.IdentityProvider.close()
, which is not part of the above ChromeStatuses, but is related and not documented, so I decided to deal with it as part of this workstream.Note also:
See also my research document for more details of what changes were added.
Motivation
Additional details
Fixes mdn/mdn#501
Related BCD update: mdn/browser-compat-data#21721
Related issues and pull requests