Web-facing PSA: Allow setting IDP login status from same-site subresources

117 views

Skip to first unread message

Christian Biesinger

unread,

Jan 24, 2024, 3:40:05 PMJan 24

to blink-dev

We have recently shipped the login status API to let identity providers (IdPs) (and, technically, other websites) tell Chrome when a user is logging in to or logging out from the website.

We previously only allowed setting the login status on toplevel loads or for subresources which are same-origin with all their ancestors, both when using the JavaScript API and when using the HTTP header.

As described here, we now also allow same-site (same eTLD+1) subresources to set a login status (for the origin of the subresource). This is useful for IdPs where the IdP login happens on one subdomain, but the FedCM endpoint is on a different subdomain. To make sure that FedCM works correctly, the login status needs to be set on the FedCM subdomain.

The change has been approved by the Chrome Web Platform security and privacy teams and will ship in Chrome 122.

Spec change: https://github.com/fedidcg/FedCM/pull/538

WPT tests added in https://chromium-review.googlesource.com/c/chromium/src/+/5207174

Reply all

Reply to author

Forward

0 new messages