Intent to Ship: FedCM: Credentialed requests will no longer send SameSite=Strict cookies
Christian Biesinger
Contact emails
Explainer
See summary
Specification
https://fedidcg.github.io/FedCM/#fetch-identity-assertion
Summary
We recently changed FedCM to send ID assertion requests with CORS. As a side-effect, that change also meant that we no longer send SameSite=Strict cookies to the ID assertion endpoint (we still send SameSite=None). Since it does not make sense to send a different set of cookies to the accounts endpoint and the ID assertion endpoint, this change makes them consistent – they both should get the same credentials as they identify the user in the same way.
Not sending SameSite=Strict cookies is also consistent with requestStorageAccess behavior and cross-site requests in general.
Blink component
Search tags
TAG review
None
TAG review status
Not applicable
Risks
Interoperability and Compatibility
There should be no interop risk because no other browser has shipped FedCM yet and this change was requested by Webkit, with Gecko supporting the request.
With regards to compatibility, we have tested the known IDPs that use FedCM and this is not an issue. In addition, for any IDP that supports "Sign in with X" on the web without FedCM, cookies must already be SameSite=None because these requests are cross-origin by definition.
Gecko: Positive. Change supported by Gecko (https://github.com/fedidcg/FedCM/issues/320#issuecomment-2012070115). Not filing a standards position request for small additions at the explicit request from Firefox (they prefer PRs).
WebKit: Positive. Change requested by WebKit (in a VC, no link available). Recently, standards position requests for smaller FedCM features have been closed, pointing to the (unresolved) main FedCM one in https://github.com/WebKit/standards-positions/issues/309 so not filing one for this.
Web developers: No signals
Other signals:
WebView application risks
Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications?
None
Debuggability
None
Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, ChromeOS, Android, and Android WebView)?
No
Supported on all platforms except Webview, where FedCM is not supported in general
Is this feature fully tested by web-platform-tests?
Flag name on chrome://flags
None
Finch feature name
FedCmSameSiteNone
Requires code in //chrome?
False (but FedCM in general does)
Tracking bug
Estimated milestones
Anticipated spec changes
Open questions about a feature may be a source of future web compat or interop issues. Please list open issues (e.g. links to known github issues in the project for the feature specification) whose resolution may introduce web compat/interop risk (e.g., changing to naming or structure of the API in a non-backward-compatible way).
None
Link to entry on the Chrome Platform Status
https://chromestatus.com/feature/5092883024838656
This intent message was generated by Chrome Platform Status.
Domenic Denicola
Contact emails
Explainer
See summary
Specification
Summary
We recently changed FedCM to send ID assertion requests with CORS. As a side-effect, that change also meant that we no longer send SameSite=Strict cookies to the ID assertion endpoint (we still send SameSite=None). Since it does not make sense to send a different set of cookies to the accounts endpoint and the ID assertion endpoint, this change makes them consistent – they both should get the same credentials as they identify the user in the same way.
Not sending SameSite=Strict cookies is also consistent with requestStorageAccess behavior and cross-site requests in general.
Blink component
Search tags
TAG review
None
TAG review status
Not applicable
Risks
Interoperability and Compatibility
There should be no interop risk because no other browser has shipped FedCM yet and this change was requested by Webkit, with Gecko supporting the request.
With regards to compatibility, we have tested the known IDPs that use FedCM and this is not an issue. In addition, for any IDP that supports "Sign in with X" on the web without FedCM, cookies must already be SameSite=None because these requests are cross-origin by definition.
Gecko: Positive. Change supported by Gecko (https://github.com/fedidcg/FedCM/issues/320#issassessment the team has done assessment the team has done uecomment-2012070115). Not filing a standards position request for small additions at the explicit request from Firefox (they prefer PRs).
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAPTJ0XGWV%3Dw4So1cgzyMonge2_3aSAHYUJuRnY98vHD%3DDDOZhg%40mail.gmail.com.
Christian Biesinger
On Thu, Apr 18, 2024 at 6:19 AM Christian Biesinger <cbies...@chromium.org> wrote:Contact emails
Explainer
See summary
Specification
I wasn't able to find the part of the spec that talks about which cookies are sent. Probably I just don't understand Fetch + cookies integration well enough. Could you help point it out? Or maybe link to the PR that makes the change?
Christian Biesinger
Johann Hofmann
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAPTJ0XFRwwWmpJHVP1Y%3Dh1vBP4WemS9b1DtEaR07uK%2Bfi9sEpg%40mail.gmail.com.
Yoav Weiss (@Shopify)
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscribe@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAPTJ0XGWV%3Dw4So1cgzyMonge2_3aSAHYUJuRnY98vHD%3DDDOZhg%40mail.gmail.com.
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscribe@chromium.org.
Christian Biesinger
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAPTJ0XGWV%3Dw4So1cgzyMonge2_3aSAHYUJuRnY98vHD%3DDDOZhg%40mail.gmail.com.
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
Yoav Weiss (@Shopify)
Hi Yoav,with regards to the spec: As Johann suggests, this can't really be specified today and I am hoping we won't block on that as he suggests. (the cookie spec linked from the fetch spec does not mention SameSite at all... https://httpwg.org/specs/rfc6265.html#cookie)
with regards to the implementation: We do not send SameSite=Lax cookies
Chris Harrelson
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOmohSJ7OT1oD2BKAFBcpxr8A5%2BaArcr%3DF5q-oTHdBizC3cUNQ%40mail.gmail.com.
Mike Taylor
LGTM3
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOMQ%2Bw9oOzx-5fYojNYZZHKK2ZAxyW60uUknRqRx8TzkX4q_Ew%40mail.gmail.com.