New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add a destination type for FedCM #1495
Conversation
xref fedidcg/FedCM#353 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
When are implementations planning to ship this? If that's soon, will it move out of the CG soon as well?
This also requires a PR to CSP I think, to make it use connect-src
.
The Build script discovered you need to update |
We think it makes sense to define a destination type specific to FedCM requests (https://fedidcg.github.io/FedCM/) This would replace the Sec-FedCM-CSRF header that is currently in the FedCM spec.
To answer the questions:
|
The way it works is that Fetch calls out to CSP (to ensure all fetches are governed by CSP). With what you have now we'd end up checking CSP twice and slightly different CSP policies at that. |
Oh OK, I will work on that. Can you elaborate on how it is a slightly different policy...? |
Just because of the code path it goes down in CSP which doesn't currently know about this destination. |
This is being added to fetch in whatwg/fetch#1495 See also issue fedidcg/FedCM#353 and fedidcg/FedCM#320
I have sent w3c/webappsec-csp#567 Is there anything else that's blocking merging this PR? |
Tests are in web-platform-tests/wpt#36230 |
We are supportive and implementing FedCM. It is harder for us to be too precise at this point. Current ballpark is early next year. |
Thanks @cbiesinger! |
See whatwg/fetch#1495 Bug: 1368382 Change-Id: I298988f78fb10e21ccc83dde9f218f1371c676d1 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3931069 Commit-Queue: Christian Biesinger <cbiesinger@chromium.org> Reviewed-by: Finnur Thorarinsson <finnur@chromium.org> Reviewed-by: Reilly Grant <reillyg@chromium.org> Reviewed-by: Sophie Chang <sophiechang@chromium.org> Reviewed-by: Daniel Rubery <drubery@chromium.org> Reviewed-by: Mike West <mkwst@chromium.org> Cr-Commit-Position: refs/heads/main@{#1054725}
This is being added to fetch in whatwg/fetch#1495 See also issue fedidcg/FedCM#353 and fedidcg/FedCM#320
@@ -1517,6 +1517,7 @@ the empty string, | |||
"<code>style</code>", | |||
"<code>track</code>", | |||
"<code>video</code>", | |||
"<code>webidentity</code>", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Shouldn't this have been added to the dictionary too, or how is https://fetch.spec.whatwg.org/#dom-request-destination supposed to work?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It depends a bit on whether it's exposed to service workers, but if it is then yes. I filed #1500 on that.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for pointing that out. It is not exposed to service workers but I'll let Anne handle the question of whether it should be added to the enum anyway, since they have a patch already.
See whatwg/fetch#1495 Bug: 1368382 Change-Id: I298988f78fb10e21ccc83dde9f218f1371c676d1 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3931069 Commit-Queue: Christian Biesinger <cbiesinger@chromium.org> Reviewed-by: Finnur Thorarinsson <finnur@chromium.org> Reviewed-by: Reilly Grant <reillyg@chromium.org> Reviewed-by: Sophie Chang <sophiechang@chromium.org> Reviewed-by: Daniel Rubery <drubery@chromium.org> Reviewed-by: Mike West <mkwst@chromium.org> Cr-Commit-Position: refs/heads/main@{#1054725} NOKEYCHECK=True GitOrigin-RevId: 2f45baa7de4e77ab72424192e7b4f9f659455ae6
… (FedCM), r=freddyb,webdriver-reviewers,whimboo This is to keep up with WHATWG Fetch whatwg/fetch#1495 . Also revised to not include the new destination type in the RequestDestination enum, per whatwg/fetch#1500 . I added an element to nsIContentPolicy::nsContentPolicyType as my starting point and proceeded from there, following the instructions at the end of the internal enum. Differential Revision: https://phabricator.services.mozilla.com/D158657
… (FedCM), r=freddyb,webdriver-reviewers,whimboo This is to keep up with WHATWG Fetch whatwg/fetch#1495 . Also revised to not include the new destination type in the RequestDestination enum, per whatwg/fetch#1500 . I added an element to nsIContentPolicy::nsContentPolicyType as my starting point and proceeded from there, following the instructions at the end of the internal enum. Differential Revision: https://phabricator.services.mozilla.com/D158657
We think it makes sense to define a destination type specific to FedCM requests (https://fedidcg.github.io/FedCM/)
This would replace the Sec-FedCM-CSRF header that is currently in the FedCM spec.
(See WHATWG Working Mode: Changes for more details.)
Preview | Diff