Intent to Ship: FedCM: Credentialed requests will no longer send SameSite=Strict cookies

667 views
Skip to first unread message

Christian Biesinger

unread,
Apr 17, 2024, 5:19:28 PMApr 17
to blink-dev

Contact emails

cbies...@chromium.org


Explainer

See summary


Specification

https://fedidcg.github.io/FedCM/#fetch-identity-assertion


Summary

We recently changed FedCM to send ID assertion requests with CORS. As a side-effect, that change also meant that we no longer send SameSite=Strict cookies to the ID assertion endpoint (we still send SameSite=None). Since it does not make sense to send a different set of cookies to the accounts endpoint and the ID assertion endpoint, this change makes them consistent – they both should get the same credentials as they identify the user in the same way.

Not sending SameSite=Strict cookies is also consistent with requestStorageAccess behavior and cross-site requests in general.

Blink component

Blink>Identity>FedCM

Search tags

fedcm, samesite, cookies


TAG review

None


TAG review status

Not applicable


Risks



Interoperability and Compatibility

There should be no interop risk because no other browser has shipped FedCM yet and this change was requested by Webkit, with Gecko supporting the request.


With regards to compatibility, we have tested the known IDPs that use FedCM and this is not an issue. In addition, for any IDP that supports "Sign in with X" on the web without FedCM, cookies must already be SameSite=None because these requests are cross-origin by definition.

Gecko: Positive. Change supported by Gecko (https://github.com/fedidcg/FedCM/issues/320#issuecomment-2012070115). Not filing a standards position request for small additions at the explicit request from Firefox (they prefer PRs).

WebKit: Positive. Change requested by WebKit (in a VC, no link available). Recently, standards position requests for smaller FedCM features have been closed, pointing to the (unresolved) main FedCM one in https://github.com/WebKit/standards-positions/issues/309 so not filing one for this.



Web developers: No signals


Other signals:


WebView application risks

Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications?

None



Debuggability

None



Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, ChromeOS, Android, and Android WebView)?

No

Supported on all platforms except Webview, where FedCM is not supported in general



Is this feature fully tested by web-platform-tests?

Yes: https://wpt.fyi/results/credential-management/fedcm-same-site-none/fedcm-same-site-none.https.html?label=experimental&label=master&aligned 


Flag name on chrome://flags

None


Finch feature name

FedCmSameSiteNone


Requires code in //chrome?

False (but FedCM in general does)


Tracking bug

https://crbug.com/329145816


Estimated milestones

Shipping on desktop

125 if possible, otherwise 126

DevTrial on desktop

124


Shipping on Android

125 if possible, otherwise 126





Anticipated spec changes

Open questions about a feature may be a source of future web compat or interop issues. Please list open issues (e.g. links to known github issues in the project for the feature specification) whose resolution may introduce web compat/interop risk (e.g., changing to naming or structure of the API in a non-backward-compatible way).

None


Link to entry on the Chrome Platform Status

https://chromestatus.com/feature/5092883024838656


This intent message was generated by Chrome Platform Status.


Domenic Denicola

unread,
Apr 17, 2024, 10:13:35 PMApr 17
to Christian Biesinger, blink-dev
On Thu, Apr 18, 2024 at 6:19 AM Christian Biesinger <cbies...@chromium.org> wrote:

I wasn't able to find the part of the spec that talks about which cookies are sent. Probably I just don't understand Fetch + cookies integration well enough. Could you help point it out? Or maybe link to the PR that makes the change?
 


Summary

We recently changed FedCM to send ID assertion requests with CORS. As a side-effect, that change also meant that we no longer send SameSite=Strict cookies to the ID assertion endpoint (we still send SameSite=None). Since it does not make sense to send a different set of cookies to the accounts endpoint and the ID assertion endpoint, this change makes them consistent – they both should get the same credentials as they identify the user in the same way.

Not sending SameSite=Strict cookies is also consistent with requestStorageAccess behavior and cross-site requests in general.

Blink component

Blink>Identity>FedCM

Search tags

fedcm, samesite, cookies


TAG review

None


TAG review status

Not applicable


Risks



Interoperability and Compatibility

There should be no interop risk because no other browser has shipped FedCM yet and this change was requested by Webkit, with Gecko supporting the request.


With regards to compatibility, we have tested the known IDPs that use FedCM and this is not an issue. In addition, for any IDP that supports "Sign in with X" on the web without FedCM, cookies must already be SameSite=None because these requests are cross-origin by definition.

Gecko: Positive. Change supported by Gecko (https://github.com/fedidcg/FedCM/issues/320#issassessment the team has done assessment the team has done uecomment-2012070115). Not filing a standards position request for small additions at the explicit request from Firefox (they prefer PRs).


--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAPTJ0XGWV%3Dw4So1cgzyMonge2_3aSAHYUJuRnY98vHD%3DDDOZhg%40mail.gmail.com.

Christian Biesinger

unread,
Apr 18, 2024, 11:32:25 AMApr 18
to Domenic Denicola, Dominic Farolino, blink-dev
On Wed, Apr 17, 2024 at 10:13 PM Domenic Denicola <dom...@chromium.org> wrote:


On Thu, Apr 18, 2024 at 6:19 AM Christian Biesinger <cbies...@chromium.org> wrote:

I wasn't able to find the part of the spec that talks about which cookies are sent. Probably I just don't understand Fetch + cookies integration well enough. Could you help point it out? Or maybe link to the PR that makes the change?

It turns out our implementation did not match the spec in this respect, so there was no PR (just an impl change).

It is probably me who does not understand the fetch + cookies integration, but my thinking is that because we give an origin to the fetch algorithm (the RP's origin), which is not same-site with the identity provider (normally), fetch should not send SameSite=Strict cookies.

Also cc'ing Dominic (Farolino) who has helped us in this area.

[You may ask, what happens if the RP is indeed same-site with the IDP? I think we would send SameSite=Strict cookies in that situation, but that case is rare]

Christian

Christian Biesinger

unread,
Apr 23, 2024, 2:05:24 PMApr 23
to Domenic Denicola, Dominic Farolino, blink-dev
Just wanted to ping this thread -- any lgtms? Or will it be discussed at tomorrow's meeting?

Christian

Johann Hofmann

unread,
Apr 23, 2024, 3:08:33 PMApr 23
to Christian Biesinger, Domenic Denicola, Dominic Farolino, blink-dev, ann...@annevk.nl
I wanted to chime in on fetch + cookies integration: Yes, it's very underspecified and leaves the computation of the actual SameSite status of cookies included in the request to the cookies RFC. This needs work on Fetch, 6265bis, HTML and Cookie Store specs (and now also needs to consider 3PC blocking!) which we're actively doing right now and hope to have some progress to share soon. I would not want to block this feature on it (and we haven't blocked other features in the past). I would expect the FedCM spec to adjust to the cookie layering work once that lands, and can work with the team to make sure that happens.

Hope this helps,

Johann

Yoav Weiss (@Shopify)

unread,
Apr 24, 2024, 11:04:14 AMApr 24
to blink-dev, Johann Hofmann, Domenic Denicola, Dominic Farolino, blink-dev, ann...@annevk.nl, Christian Biesinger
fetch-accounts says that the origin for accounts requests is an opaque origin. What does that mean for `Same-Site: Lax` cookies? Will they be sent or not?

To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscribe@chromium.org.

--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscribe@chromium.org.

Christian Biesinger

unread,
Apr 24, 2024, 11:46:47 AMApr 24
to Yoav Weiss (@Shopify), blink-dev, Johann Hofmann, Domenic Denicola, Dominic Farolino, ann...@annevk.nl
Hi Yoav,

with regards to the spec: As Johann suggests, this can't really be specified today and I am hoping we won't block on that as he suggests. (the cookie spec linked from the fetch spec does not mention SameSite at all... https://httpwg.org/specs/rfc6265.html#cookie)

with regards to the implementation: We do not send SameSite=Lax cookies

Christian

To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.

--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.

Yoav Weiss (@Shopify)

unread,
Apr 24, 2024, 12:29:18 PMApr 24
to Christian Biesinger, blink-dev, Johann Hofmann, Domenic Denicola, Dominic Farolino, ann...@annevk.nl
LGTM1

On Wed, Apr 24, 2024 at 5:46 PM Christian Biesinger <cbies...@chromium.org> wrote:
Hi Yoav,

with regards to the spec: As Johann suggests, this can't really be specified today and I am hoping we won't block on that as he suggests. (the cookie spec linked from the fetch spec does not mention SameSite at all... https://httpwg.org/specs/rfc6265.html#cookie)

Yeah, I'm convinced that this entire area is not currently specified, and that y'all are making strides towards that, and we shouldn't block this particular change on them.
I just wanted to verify that what y'all are planning to ship aligns with my understanding of what we'd want to eventually specify here.
 

with regards to the implementation: We do not send SameSite=Lax cookies

That makes sense. Thanks!

Chris Harrelson

unread,
Apr 24, 2024, 12:39:11 PMApr 24
to Yoav Weiss (@Shopify), Christian Biesinger, blink-dev, Johann Hofmann, Domenic Denicola, Dominic Farolino, ann...@annevk.nl

Mike Taylor

unread,
Apr 24, 2024, 3:30:50 PMApr 24
to Chris Harrelson, Yoav Weiss (@Shopify), Christian Biesinger, blink-dev, Johann Hofmann, Domenic Denicola, Dominic Farolino, ann...@annevk.nl

Christian Biesinger

unread,
Apr 24, 2024, 3:35:30 PMApr 24
to Mike Taylor, Chris Harrelson, Yoav Weiss (@Shopify), blink-dev, Johann Hofmann, Domenic Denicola, Dominic Farolino, ann...@annevk.nl
Thanks everyone for the approvals! This will ship in 125.

Christian
Reply all
Reply to author
Forward
0 new messages