Skip to content

Commit

Permalink
Change ID assertion endpoint mode to CORS (#547)
Browse files Browse the repository at this point in the history
* Change ID assertion endpoint mode to CORS

* Update spec/index.bs

Co-authored-by: Ted Thibodeau Jr <tthibodeau@openlinksw.com>

---------

Co-authored-by: Ted Thibodeau Jr <tthibodeau@openlinksw.com>
  • Loading branch information
npm1 and TallTed authored Aug 16, 2024
1 parent 1b8a527 commit 90128b5
Showing 1 changed file with 11 additions and 5 deletions.
16 changes: 11 additions & 5 deletions spec/index.bs
Original file line number Diff line number Diff line change
Expand Up @@ -1332,11 +1332,7 @@ To <dfn>fetch an identity assertion</dfn> given a {{USVString}}
: [=request/credentials mode=]
:: "include"
: [=request/mode=]
:: "no-cors"

Issue: The spec is yet to be updated so that all <a spec=fetch for=/>requests</a> are created
with [=request/mode=] set to "user-agent-no-cors". See the relevant
[pull request](https://github.com/whatwg/fetch/pull/1533) for details.
:: "cors"

1. Let |credential| be null.
1. [=Fetch request=] with |request| and |globalObject|, and with <var ignore>processResponseConsumeBody</var>
Expand Down Expand Up @@ -2530,6 +2526,16 @@ credentialed requests it receives, which ensures that the request was initiated
based on the FedCM API. A malicious actor cannot spam FedCM API calls, so this is sufficient
protection for the new [=IDP=] endpoints.

<!-- ============================================================ -->
## CORS Header ## {#sec-cors-header}
<!-- ============================================================ -->

The FedCM API allows the response from the [=identity assertion endpoint=] to be shared to the
[=RP=]. Because of this, we impose the requirement that the [=IDP=] explicitly consents to this
sharing taking place by using the "cors" [=request/mode=] when fetching this endpoint. This also
helps with servers that may accidentally ignore the <a http-header>Sec-Fetch-Dest</a>: they cannot
ignore CORS, as without it the fetch will fail.

<!-- ============================================================ -->
## Browser Surface Impersonation ## {#browser-surface-impersonation}
<!-- ============================================================ -->
Expand Down

0 comments on commit 90128b5

Please sign in to comment.