PSA: FedCM will skip well-known file checks when the IDP and RP are same-site

[Christian Biesinger]

The FedCM code has previously enforced that an Identity Provider (IDP)’s configURL is listed in .well-known/web-identity under their eTLD+1 (e.g. https://google.com/.well-known/web-identity) so that the IDP can not encode RP data in the accounts endpoint URL.

However, sometimes the RP and IDP are under the same eTLD+1 in staging or testing setups. The staging IDP’s URL can not be listed in the well-known file because it can only contain one URL. At the same time, cookies can already be shared among hosts in the same eTLD+1 with the Domain attribute, so this check has no impact on privacy for this case.

We have therefore changed Chrome to skip the well-known check if the RP and IDP are in the same eTLD+1. The change has been approved by the Chrome Web Platform security and privacy teams and will ship in Chrome 122.

One example where this would help is https://github.com/GoogleChromeLabs/privacy-sandbox-dev-support/issues/189 – the issue has been closed because an existing flag has been deemed sufficient after a bug fix, but with this change no flag is needed.