suresh potti abandoned this change.
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
bool IsIdentityHandlerEnabled();is there a reason kFedCmIdentityHandler doesn't get a chrome://flags entry like its FedCM siblings ( kFedCmDelegation , kFedCmIdPRegistration , …)? An entry in about_flags.cc + flag_descriptions.{h,cc} would make local testing easier without requiring --enable-features=.
// Copyright 2021 The Chromium AuthorsShould we split the CL?
1) mojom + Blink IDL surface + event class (RuntimeEnabled-gated)
2) SW global scope dispatch hooks + WaitUntilObserver glue
3) content/browser dispatcher + handler SW manager + unit tests + flags
4) idp_network_request_manager integration and wpts
#include <optional>Nit: `OnRegistrationsForUnregisterFound` takes `const std::vector<scoped_refptr<ServiceWorkerRegistration>>&` but this header doesn't `#include <vector>`. Gets it transitively today. Per chromium IWYU, please add the direct include.
base::TimeDelta timeout = base::Seconds(10));nit: prefer a file-scope constexpr base::TimeDelta kIdentityRespondWithTimeout = base::Seconds(10); over a literal in a default arg. Easier to grep/tune, and a clean seam if we ever want a Finch knob.
receiver_ref->Close();When the 10s timeout fires we close the response pipe and the destructor
reports kRespondWithFailed, but the SW dispatch is not finished:
- The renderer's respondWith() promise is author-controlled; closing the
Mojo pipe does not cause it to settle.
- Therefore IdentityRequestRespondWithObserver::OnResponseFulfilled /
OnResponseRejected does not fire.
- Therefore the CreateSimpleEventCallback(event_finish_id) ACK passed into
DispatchIdentityRequestEvent never gets invoked.
Net effect: the external-request slot created by
StartRequestForFunctionalEvent stays open until ServiceWorkerVersion's
built-in request timeout (~5 min) forcibly finishes it. A handler that
does event.respondWith(new Promise(()=>{})) keeps the worker warm for
~5 min after we already reported failure to the FedCM caller, blocking
soft update for the IDP SW and racing with unregister(). A repeating
attacker can keep the worker warm indefinitely (one stuck respondWith per
10s).
Suggested fix: capture event_finish_id and reuse the existing scoped_refptr<ServiceWorkerVersion> already bound into OnTimeout , and call
version->FinishRequest(event_finish_id, /*was_handled=*/false);
before receiver_ref->Close(). That releases the slot promptly and aligns
the SW-side lifetime with the 10s budget the user sees.
Please also add a unit test along the lines of: "respondWith never
settles -> 10s later, the version's external-request count is back to
zero (or HasWork() returns false)".
result.error = IdentityCredentialTokenError{/*code=*/"", /*url=*/GURL()};OnSWTokenResponse synthesizes an empty IdentityCredentialTokenError{"", GURL()} for the kRespondWithFailed branch. Since parse_status already signals failure, this can either be dropped or filled with a meaningful code like "identity_handler_respond_with_failed".
OnError(string error_message);error_message is dead end-to-end:
The renderer always sends the same literal string in service_worker_global_scope.cc::RespondToIdentityRequestEvent :
result_callback->OnError("Identity request event handler failed");even though IdentityRequestRespondWithObserver already distinguishes three failure paths (rejected, invalid MIME, body-load failed). Today, only two of the three (rejected and invalid-MIME) emit a distinct console message; the body-load-failed path ( DidFetchDataLoadFailed ) is silent both renderer-side and — via the dead error_message — browser-side, so the SW author has no signal at all in that case.
The browser-side IdentityRequestResponseCallbackImpl::OnError in identity_request_event_dispatcher.cc ignores the argument:
void OnError(const std::string& error_message) override {
...
RunCallbackWithFailure(callback_, kRespondWithFailed); // arg unused
}Two options, pick one before this lands:
(a) Drop the parameter: OnError(); . Simpler interface, less confusion for future readers.
(b) Actually plumb the specific reason — pass it through to the dispatch callback, surface it in a browser-side console message (in addition to the renderer-side message the SW author already sees, so the RP-side developer also sees why), and/or use it as a label on the Blink.FedCm.IdentityHandler.FellBackToNetwork (or a sibling "Failed") histogram so we can tell rejected / invalid-mime / body-failed apart in the field. This also closes the body-load-failed gap above.
Currently this is API surface area with no behavior behind it
#include "third_party/blink/renderer/core/execution_context/execution_context.h"execution_context.h is included but ExecutionContext is never referenced.
// Copyright 2026 The Chromium AuthorsWPTs needs more coverage:
• idl.https.html (idlharness) for the IdentityRequestEvent IDL surface.
• register-rejects-on-invalid-well-known (negative path for the registration flow when the well-known file is malformed/missing).
• respondWith() second-call rejection (per spec, calling twice on the same event must throw InvalidStateError )
#include "third_party/blink/public/mojom/webid/fedcm_identity_request.mojom-blink.h"nit: this include appears unused in the header — the only mojom symbol referenced ( ServiceWorkerResponseError ) comes from the line above. Can it be dropped or moved to the .cc?
buffer->StartLoading(FetchDataLoader::CreateLoaderAsString(The Response body is read in full as a UTF-8 string with no upper bound. The existing FedCM network-fetch path caps payloads at maxResponseSizeInKiB * 1024 = 1 MiB ( idp_network_request_manager.cc:175 ). A buggy or malicious IDP SW can respondWith(new Response("x".repeat(2**30))) and allocate a multi-GiB Blink string. Please thread the same cap through IdentityResponseBodyLoader — ideally by tracking running bytes through the BytesConsumer so the cap is enforced during the read (not just at DidFetchDataLoadedString , which fires after the allocation has already happened).
public: true,missing status: "test" on the runtime feature?
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
// Copyright 2021 The Chromium AuthorsShould we split the CL?
1) mojom + Blink IDL surface + event class (RuntimeEnabled-gated)
2) SW global scope dispatch hooks + WaitUntilObserver glue
3) content/browser dispatcher + handler SW manager + unit tests + flags
4) idp_network_request_manager integration and wpts
Have plans to split the CL. The reason for sending a larger CL first is to help reviewers understand the flow. Once they’ve gone through it and there are no issues, I’ll send smaller CLs for review and code merge.
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
bool IsIdentityHandlerEnabled();is there a reason kFedCmIdentityHandler doesn't get a chrome://flags entry like its FedCM siblings ( kFedCmDelegation , kFedCmIdPRegistration , …)? An entry in about_flags.cc + flag_descriptions.{h,cc} would make local testing easier without requiring --enable-features=.
Thanks. Added the changes.
#include <optional>Nit: `OnRegistrationsForUnregisterFound` takes `const std::vector<scoped_refptr<ServiceWorkerRegistration>>&` but this header doesn't `#include <vector>`. Gets it transitively today. Per chromium IWYU, please add the direct include.
Added. Thanks.
base::TimeDelta timeout = base::Seconds(10));nit: prefer a file-scope constexpr base::TimeDelta kIdentityRespondWithTimeout = base::Seconds(10); over a literal in a default arg. Easier to grep/tune, and a clean seam if we ever want a Finch knob.
Added. Thanks.
#include "third_party/blink/renderer/core/execution_context/execution_context.h"execution_context.h is included but ExecutionContext is never referenced.
Removed.