Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Mention SameSite cookies in accounts fetch #550

Open
wants to merge 4 commits into
base: main
Choose a base branch
from
Open
Changes from 2 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 7 additions & 7 deletions spec/index.bs
Original file line number Diff line number Diff line change
Expand Up @@ -330,13 +330,11 @@ const credential = await navigator.credentials.get({
```
</div>

For fetches that are sent with cookies, unpartitioned cookies are included,
as if the resource was loaded as a same-origin request, e.g.
regardless of the
[SameSite](https://httpwg.org/http-extensions/draft-ietf-httpbis-rfc6265bis.html#name-the-samesite-attribute-2)
value (which is used when a resource loaded as a third-party, not first-party). This makes it easy
for an [=IDP=] to adopt the FedCM API. It doesn't introduce security issues on the API because the
[=RP=] cannot inspect the results from the fetches in any way.
For fetches that are sent with cookies, unpartitioned
npm1 marked this conversation as resolved.
Show resolved Hide resolved
[SameSite](https://httpwg.org/http-extensions/draft-ietf-httpbis-rfc6265bis.html#name-the-samesite-attribute-2)=None
cookies are included. This makes it easy for an [=IDP=] to adopt the FedCM API. It doesn't introduce
npm1 marked this conversation as resolved.
Show resolved Hide resolved
security issues on the API because the [=RP=] cannot inspect the results from the fetches on its
own (e.g. the browser mediates what the [=RP=] can receive).

<!-- ============================================================ -->
## The connected accounts set ## {#browser-connected-accounts-set}
Expand Down Expand Up @@ -1111,6 +1109,8 @@ returns an {{IdentityProviderAccountList}}.
with [=request/mode=] set to "user-agent-no-cors". See the relevant
[pull request](https://github.com/whatwg/fetch/pull/1533) for details.

Note: This fetch should only send Same-Site=None cookies. Specifying this will require cookie layering.
npm1 marked this conversation as resolved.
Show resolved Hide resolved

1. Let |accountsList| be null.
1. [=Fetch request=] with |request| and |globalObject|, and with <var ignore>processResponseConsumeBody</var>
set to the following steps given a <a spec=fetch for=/>response</a> |response| and |responseBody|:
Expand Down
Loading