Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Make it clearer that IdP needs to check Sec-Fetch-Dest #619

Open
npm1 opened this issue Jun 20, 2024 · 5 comments
Open

Make it clearer that IdP needs to check Sec-Fetch-Dest #619

npm1 opened this issue Jun 20, 2024 · 5 comments

Comments

@npm1
Copy link
Collaborator

npm1 commented Jun 20, 2024

It looks like there is a note but it is in ID assertion section. We can move it up higher, as this applies to other sensitive endpoints, like accounts endpoint as well. Based on feedback from @philsmart

@philsmart
Copy link
Contributor

Thanks! I was just wondering how the IdP should respond when this is not present. HTTP 400 with an error maybe (although I've not checked the note).

@cbiesinger
Copy link
Collaborator

it doesn't really matter (we treat all errors the same) but I agree that it would be good if we added a note with a suggestion for how to handle that

@samuelgoto
Copy link
Collaborator

samuelgoto commented Jul 1, 2024

Maybe this is best documented as part (or maybe, in addition to?) of one of the profiles? WDYT @aaronpk @timcappalli, any guidance on where these "IdP implementation" guidance should live? The FedCM spec? The profile? Both?

Note that, as far as FedCM's spec per se, the browser can't actually check if the IdP is implementing these things properly, so we can, at best, have non-normative text, I think.

@aaronpk
Copy link

aaronpk commented Jul 1, 2024

This is a core FedCM security feature, so I would expect to see this in the FedCM spec. The spec is not only for browser implementers, so it's fine to have normative requirements for the other roles as well.

@bc-pi
Copy link

bc-pi commented Jul 1, 2024

100% with @aaronpk ^

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

6 participants