PSA: Use Origin header instead of Referer in FedCM requests

[Yi Gu]

Contact emails

yi...@chromium.org

Specification

https://github.com/fedidcg/FedCM/issues/379

Summary

Currently we use “Referer” in the header when sending requests to identity providers. “Origin” on the other hand, is a more modern concept and its semantics agree with the value we have. As a result, we decided to use “Origin” instead during a recent discussion with Safari and Firefox. In particular:

• UA should use Origin instead of Referer for the requests that need to expose the RP

• UA should send no Origin (instead of Origin: null) for requests that do not expose the RP

Risks

This may break identity providers who have already implemented FedCM API and had dependency on the “Referer” header. Given that we just shipped FedCM in M108, the number of implementers is manageable and we have reached out to them individually to notify the change so there should be no impact on users.

Blink component

Blink>Identity>FedCM

Debuggability

We are adding WPT tests and unit tests in this patch.

Tracking bug

https://bugs.chromium.org/p/chromium/issues/detail?id=1381227

Estimated milestone

M110

[Rick Byers]

Thanks for the PSA Yi! I agree that the compat risk is low enough not to require an official depreciation/removal process.

Rick

--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CACh2XCNG8u%3D3ZtEuQdVm7BG%2Bk6SHGxmWaFvjOYJwhtStgHvjnA%40mail.gmail.com.