From bfbfc6bf541172bdf9047ff9967d4f8a29843312 Mon Sep 17 00:00:00 2001 From: npm1 Date: Tue, 12 Mar 2024 14:17:38 -0400 Subject: [PATCH 1/4] Mention SameSite cookies in accounts fetch This PR adds a mention to which cookies ought to be sent in the accounts fetch. Once cookie layering work is done, we can remove this note and properly specify it. --- spec/index.bs | 2 ++ 1 file changed, 2 insertions(+) diff --git a/spec/index.bs b/spec/index.bs index b2462419..e970c058 100644 --- a/spec/index.bs +++ b/spec/index.bs @@ -1111,6 +1111,8 @@ returns an {{IdentityProviderAccountList}}. with [=request/mode=] set to "user-agent-no-cors". See the relevant [pull request](https://github.com/whatwg/fetch/pull/1533) for details. + Note: This fetch should only send Same-Site None cookies. Specifying this will require cookie layering. + 1. Let |accountsList| be null. 1. [=Fetch request=] with |request| and |globalObject|, and with processResponseConsumeBody set to the following steps given a response |response| and |responseBody|: From 5d4f1618cedeadf414e541133fa964181a5c7c4f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicol=C3=A1s=20Pe=C3=B1a=20Moreno?= Date: Wed, 18 Sep 2024 16:56:46 -0400 Subject: [PATCH 2/4] feedback --- spec/index.bs | 14 ++++++-------- 1 file changed, 6 insertions(+), 8 deletions(-) diff --git a/spec/index.bs b/spec/index.bs index e970c058..d47da5e4 100644 --- a/spec/index.bs +++ b/spec/index.bs @@ -330,13 +330,11 @@ const credential = await navigator.credentials.get({ ``` -For fetches that are sent with cookies, unpartitioned cookies are included, -as if the resource was loaded as a same-origin request, e.g. -regardless of the -[SameSite](https://httpwg.org/http-extensions/draft-ietf-httpbis-rfc6265bis.html#name-the-samesite-attribute-2) -value (which is used when a resource loaded as a third-party, not first-party). This makes it easy -for an [=IDP=] to adopt the FedCM API. It doesn't introduce security issues on the API because the -[=RP=] cannot inspect the results from the fetches in any way. +For fetches that are sent with cookies, unpartitioned +[SameSite](https://httpwg.org/http-extensions/draft-ietf-httpbis-rfc6265bis.html#name-the-samesite-attribute-2)=None +cookies are included. This makes it easy for an [=IDP=] to adopt the FedCM API. It doesn't introduce +security issues on the API because the [=RP=] cannot inspect the results from the fetches on its +own (e.g. the browser mediates what the [=RP=] can receive). ## The connected accounts set ## {#browser-connected-accounts-set} @@ -1111,7 +1109,7 @@ returns an {{IdentityProviderAccountList}}. with [=request/mode=] set to "user-agent-no-cors". See the relevant [pull request](https://github.com/whatwg/fetch/pull/1533) for details. - Note: This fetch should only send Same-Site None cookies. Specifying this will require cookie layering. + Note: This fetch should only send Same-Site=None cookies. Specifying this will require cookie layering. 1. Let |accountsList| be null. 1. [=Fetch request=] with |request| and |globalObject|, and with processResponseConsumeBody From b2abb6aae2518ab7eade93161a6adfaa3425464e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicol=C3=A1s=20Pe=C3=B1a=20Moreno?= Date: Thu, 19 Sep 2024 11:43:50 -0400 Subject: [PATCH 3/4] Update index.bs --- spec/index.bs | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/spec/index.bs b/spec/index.bs index d47da5e4..eec0862c 100644 --- a/spec/index.bs +++ b/spec/index.bs @@ -332,9 +332,9 @@ const credential = await navigator.credentials.get({ For fetches that are sent with cookies, unpartitioned [SameSite](https://httpwg.org/http-extensions/draft-ietf-httpbis-rfc6265bis.html#name-the-samesite-attribute-2)=None -cookies are included. This makes it easy for an [=IDP=] to adopt the FedCM API. It doesn't introduce -security issues on the API because the [=RP=] cannot inspect the results from the fetches on its -own (e.g. the browser mediates what the [=RP=] can receive). +cookies are included. It doesn't introduce security issues on the API even when third-party cookies are otherwise +disabled because the [=RP=] cannot inspect the results from the fetches on its own (e.g. the browser mediates what +the [=RP=] can receive). ## The connected accounts set ## {#browser-connected-accounts-set} @@ -1109,7 +1109,8 @@ returns an {{IdentityProviderAccountList}}. with [=request/mode=] set to "user-agent-no-cors". See the relevant [pull request](https://github.com/whatwg/fetch/pull/1533) for details. - Note: This fetch should only send Same-Site=None cookies. Specifying this will require cookie layering. + Note: This fetch should only send Same-Site=None cookies. Specifying this will require + [cookie layering](https://github.com/httpwg/http-extensions/issues/2084). 1. Let |accountsList| be null. 1. [=Fetch request=] with |request| and |globalObject|, and with processResponseConsumeBody From 662dc2eb6af0c2fd9e617b7116b67a903c5eb180 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicol=C3=A1s=20Pe=C3=B1a=20Moreno?= Date: Mon, 23 Sep 2024 18:21:07 -0400 Subject: [PATCH 4/4] Apply suggestions from code review Co-authored-by: Ted Thibodeau Jr --- spec/index.bs | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/spec/index.bs b/spec/index.bs index eec0862c..2b6a76d2 100644 --- a/spec/index.bs +++ b/spec/index.bs @@ -330,10 +330,10 @@ const credential = await navigator.credentials.get({ ``` -For fetches that are sent with cookies, unpartitioned +When fetches are sent with cookies, unpartitioned [SameSite](https://httpwg.org/http-extensions/draft-ietf-httpbis-rfc6265bis.html#name-the-samesite-attribute-2)=None cookies are included. It doesn't introduce security issues on the API even when third-party cookies are otherwise -disabled because the [=RP=] cannot inspect the results from the fetches on its own (e.g. the browser mediates what +disabled because the [=RP=] cannot inspect the results from the fetches on its own (i.e., the browser mediates what the [=RP=] can receive).