You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This API provides a way to prevent RPs from silently making cross-site credentialed requests to IdPs using the FedCM API while minimizing user annoyance for users who are not logged in to the requested IDP. We call this problem the timing attack problem. In this proposal under review, specifically, when the user agent was not notified that the user is signed in to the IDP, no network request is made and so no UI has to be shown. Otherwise, whenever a credentialed request is made, UI is shown. This discourages use of the API for tracking. (Note, for Chrome’s implementation we allow a once-per-IDP potentially-silent request for bootstrapping purposes)
The text was updated successfully, but these errors were encountered:
It may be worth keeping this one open separately because it is my understanding that webkit wants to support the login status API aka IDP signin status API independently of FedCM?
I don't know about supporting it, but I've updated the title to be more specific about the Login Status API and now pointing to what's in the FedCM draft.
WebKittens
@johnwilander
Title of the spec
Login Status API
URL to the spec
https://fedidcg.github.io/FedCM/#browser-api-login-status
URL to the spec's repository
https://github.com/fedidcg/FedCM
Issue Tracker URL
No response
Explainer URL
fedidcg/FedCM#436
TAG Design Review URL
w3ctag/design-reviews#884
Mozilla standards-positions issue URL
No response
WebKit Bugzilla URL
No response
Radar URL
No response
Description
This is an extension to the FedCM API.
This API provides a way to prevent RPs from silently making cross-site credentialed requests to IdPs using the FedCM API while minimizing user annoyance for users who are not logged in to the requested IDP. We call this problem the timing attack problem. In this proposal under review, specifically, when the user agent was not notified that the user is signed in to the IDP, no network request is made and so no UI has to be shown. Otherwise, whenever a credentialed request is made, UI is shown. This discourages use of the API for tracking. (Note, for Chrome’s implementation we allow a once-per-IDP potentially-silent request for bootstrapping purposes)
The text was updated successfully, but these errors were encountered: