See summary
https://fedidcg.github.io/FedCM/#fetch-identity-assertion
We recently changed FedCM to send ID assertion requests with CORS. As a side-effect, that change also meant that we no longer send SameSite=Strict cookies to the ID assertion endpoint (we still send SameSite=None). Since it does not make sense to send a different set of cookies to the accounts endpoint and the ID assertion endpoint, this change makes them consistent – they both should get the same credentials as they identify the user in the same way.
Not sending SameSite=Strict cookies is also consistent with requestStorageAccess behavior and cross-site requests in general.
None
Not applicable
There should be no interop risk because no other browser has shipped FedCM yet and this change was requested by Webkit, with Gecko supporting the request.
With regards to compatibility, we have tested the known IDPs that use FedCM and this is not an issue. In addition, for any IDP that supports "Sign in with X" on the web without FedCM, cookies must already be SameSite=None because these requests are cross-origin by definition.
Gecko: Positive. Change supported by Gecko (https://github.com/fedidcg/FedCM/issues/320#issuecomment-2012070115). Not filing a standards position request for small additions at the explicit request from Firefox (they prefer PRs).
WebKit: Positive. Change requested by WebKit (in a VC, no link available). Recently, standards position requests for smaller FedCM features have been closed, pointing to the (unresolved) main FedCM one in https://github.com/WebKit/standards-positions/issues/309 so not filing one for this.
Web developers: No signals
Other signals:
Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications?
None
None
No
Supported on all platforms except Webview, where FedCM is not supported in general
None
FedCmSameSiteNone
False (but FedCM in general does)
Open questions about a feature may be a source of future web compat or interop issues. Please list open issues (e.g. links to known github issues in the project for the feature specification) whose resolution may introduce web compat/interop risk (e.g., changing to naming or structure of the API in a non-backward-compatible way).
None
https://chromestatus.com/feature/5092883024838656
This intent message was generated by Chrome Platform Status.
Contact emails
Explainer
See summary
Specification
Summary
We recently changed FedCM to send ID assertion requests with CORS. As a side-effect, that change also meant that we no longer send SameSite=Strict cookies to the ID assertion endpoint (we still send SameSite=None). Since it does not make sense to send a different set of cookies to the accounts endpoint and the ID assertion endpoint, this change makes them consistent – they both should get the same credentials as they identify the user in the same way.
Not sending SameSite=Strict cookies is also consistent with requestStorageAccess behavior and cross-site requests in general.
Blink component
Search tags
TAG review
None
TAG review status
Not applicable
Risks
Interoperability and Compatibility
There should be no interop risk because no other browser has shipped FedCM yet and this change was requested by Webkit, with Gecko supporting the request.
With regards to compatibility, we have tested the known IDPs that use FedCM and this is not an issue. In addition, for any IDP that supports "Sign in with X" on the web without FedCM, cookies must already be SameSite=None because these requests are cross-origin by definition.
Gecko: Positive. Change supported by Gecko (https://github.com/fedidcg/FedCM/issues/320#issassessment the team has done assessment the team has done uecomment-2012070115). Not filing a standards position request for small additions at the explicit request from Firefox (they prefer PRs).
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAPTJ0XGWV%3Dw4So1cgzyMonge2_3aSAHYUJuRnY98vHD%3DDDOZhg%40mail.gmail.com.
On Thu, Apr 18, 2024 at 6:19 AM Christian Biesinger <cbies...@chromium.org> wrote:Contact emails
Explainer
See summary
Specification
I wasn't able to find the part of the spec that talks about which cookies are sent. Probably I just don't understand Fetch + cookies integration well enough. Could you help point it out? Or maybe link to the PR that makes the change?
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAPTJ0XFRwwWmpJHVP1Y%3Dh1vBP4WemS9b1DtEaR07uK%2Bfi9sEpg%40mail.gmail.com.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscribe@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAPTJ0XGWV%3Dw4So1cgzyMonge2_3aSAHYUJuRnY98vHD%3DDDOZhg%40mail.gmail.com.
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscribe@chromium.org.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAPTJ0XGWV%3Dw4So1cgzyMonge2_3aSAHYUJuRnY98vHD%3DDDOZhg%40mail.gmail.com.
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
Hi Yoav,with regards to the spec: As Johann suggests, this can't really be specified today and I am hoping we won't block on that as he suggests. (the cookie spec linked from the fetch spec does not mention SameSite at all... https://httpwg.org/specs/rfc6265.html#cookie)
with regards to the implementation: We do not send SameSite=Lax cookies
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOmohSJ7OT1oD2BKAFBcpxr8A5%2BaArcr%3DF5q-oTHdBizC3cUNQ%40mail.gmail.com.
LGTM3
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOMQ%2Bw9oOzx-5fYojNYZZHKK2ZAxyW60uUknRqRx8TzkX4q_Ew%40mail.gmail.com.