Skip to content

Commit

Permalink
Skip well-known check if RP and IDP are in the same site. (#535)
Browse files Browse the repository at this point in the history
* Skip well-known check if RP and IDP are in the same site.

The check provides no privacy benefit (because they can share information
using domain cookies) and makes it harder to test FedCM in certain
staging setups.

* Fix indent

* Handle opaque origins and also compare schemes
  • Loading branch information
cbiesinger authored Jan 16, 2024
1 parent 828e96b commit b3674e5
Showing 1 changed file with 52 additions and 44 deletions.
96 changes: 52 additions & 44 deletions spec/index.bs
Original file line number Diff line number Diff line change
Expand Up @@ -1022,51 +1022,59 @@ or failure.
1. Set |rootUrl|'s [=url/scheme=] to |configUrl|'s [=url/scheme=].
1. Set |rootUrl|'s [=url/host=] to |configUrl|'s [=url/host=]'s [=host/registrable domain=].
1. Set |rootUrl|'s [=url/path=] to the <a>list</a> «".well-known", "web-identity"».
1. Let |wellKnownRequest| be a new [=/request=] as follows:

: [=request/URL=]
:: |rootUrl|
: [=request/client=]
:: null
: [=request/window=]
:: "no-window"
: [=request/service-workers mode=]
:: "none"
: [=request/destination=]
:: "webidentity"
: [=request/origin=]
:: a unique [=opaque origin=]
: [=request/header list=]
:: a [=list=] containing a single [=header=] with [=header/name=] set to `Accept` and
[=header/value=] set to `application/json`
: [=request/referrer policy=]
:: "no-referrer"
: [=request/credentials mode=]
:: "omit"
: [=request/mode=]
:: "no-cors"

Issue: The spec is yet to be updated so that all <a spec=fetch for=/>requests</a> are created
with [=request/mode=] set to "user-agent-no-cors". See the relevant
[pull request](https://github.com/whatwg/fetch/pull/1533) for details.

1. Let |config|, |configInWellKnown| both be null.
1. [=Fetch request=] with |wellKnownRequest| and |globalObject|, and with <var ignore>processResponseConsumeBody</var>
set to the following steps given a <a spec=fetch for=/>response</a> |response| and |responseBody|:
1. Let |json| be the result of [=extract the JSON fetch response=] from |response| and
|responseBody|.
1. [=converted to an IDL value|Convert=] |json| to an {{IdentityProviderWellKnown}},
|discovery|.
1. If one of the previous two steps threw an exception, or if the
[=list/size=] of |discovery|["{{IdentityProviderWellKnown/provider_urls}}"] is
greater than 1, set |configInWellKnown| to false.

Issue: [relax](https://github.com/fedidcg/FedCM/issues/333) the size of the
provider_urls array.

1. Otherwise, set to |configInWellKnown| to true if
|discovery|["{{IdentityProviderWellKnown/provider_urls}}"][0] [=string/is=] equal to
|provider|'s {{IdentityProviderConfig/configURL}}, and to false otherwise.
1. Let |rpOrigin| be |globalObject|'s [=associated Document=]'s [=Document/origin=].
1. If |rpOrigin| is not an [=opaque origin=], and |rootUrl|'s [=url/host=] is equal
to |rpOrigin|'s [=host/registrable domain=], and |rootUrl|'s [=url/scheme=] is
equal to |rpOrigin|'s [=origin/scheme=], set |configInWellKnown| to true.

Note: Because domain cookies are valid across an entire site, there is no privacy
benefit from doing the well-known check if the RP and IDP are in the same site.
1. Otherwise:
1. Let |wellKnownRequest| be a new [=/request=] as follows:

: [=request/URL=]
:: |rootUrl|
: [=request/client=]
:: null
: [=request/window=]
:: "no-window"
: [=request/service-workers mode=]
:: "none"
: [=request/destination=]
:: "webidentity"
: [=request/origin=]
:: a unique [=opaque origin=]
: [=request/header list=]
:: a [=list=] containing a single [=header=] with [=header/name=] set to `Accept` and
[=header/value=] set to `application/json`
: [=request/referrer policy=]
:: "no-referrer"
: [=request/credentials mode=]
:: "omit"
: [=request/mode=]
:: "no-cors"

Issue: The spec is yet to be updated so that all <a spec=fetch for=/>requests</a> are created
with [=request/mode=] set to "user-agent-no-cors". See the relevant
[pull request](https://github.com/whatwg/fetch/pull/1533) for details.

1. [=Fetch request=] with |wellKnownRequest| and |globalObject|, and with <var ignore>processResponseConsumeBody</var>
set to the following steps given a <a spec=fetch for=/>response</a> |response| and |responseBody|:
1. Let |json| be the result of [=extract the JSON fetch response=] from |response| and
|responseBody|.
1. [=converted to an IDL value|Convert=] |json| to an {{IdentityProviderWellKnown}},
|discovery|.
1. If one of the previous two steps threw an exception, or if the
[=list/size=] of |discovery|["{{IdentityProviderWellKnown/provider_urls}}"] is
greater than 1, set |configInWellKnown| to false.

Issue: [relax](https://github.com/fedidcg/FedCM/issues/333) the size of the
provider_urls array.

1. Otherwise, set to |configInWellKnown| to true if
|discovery|["{{IdentityProviderWellKnown/provider_urls}}"][0] [=string/is=] equal to
|provider|'s {{IdentityProviderConfig/configURL}}, and to false otherwise.

1. Let |configRequest| be a new <a spec=fetch for=/>request</a> as follows:

Expand Down

0 comments on commit b3674e5

Please sign in to comment.