PSA: Use Origin header instead of Referer in FedCM requests starting from M110

161 views
Skip to first unread message

FedCM developer newsletter

unread,
Jan 3, 2023, 1:57:02 PM1/3/23
to FedCM developer newsletter

Currently we use “Referer” in the header when sending requests to identity providers. “Origin” on the other hand, is a more modern concept and its semantics agree with the value we have. As a result, we decided to use “Origin” instead during a recent discussion with Safari and Firefox. In particular:

  • Chrome will use "Origin" instead of "Referer" for the requests that need to expose the RP

  • Chrome will send no Origin (instead of "Origin: null") for requests that do not expose the RP

This change is effective in Chrome M110 (Stable release on Feb 7, 2023). If you have already implemented the "Referer" header, it's better to check both "Referer" and "Origin" to make sure FedCM API works on early Chrome clients (e.g. M108, M109) as well.


Reply all
Reply to author
Forward
0 new messages