LGTM3 On Wed, Oct 25, 2023 at 8:44 PM Mike Taylor <miketa...@chromium.org> wrote:
> LGTM2 > On 10/25/23 2:39 PM, 'Rick Byers' via blink-dev wrote: > > FWIW since the PR has landed, the correct link to reference the spec is > https://fedidcg.github.io/FedCM/#browser-api-login-status. Since WebKit > has expressed some interest in using this API in other scenarios than just > FedCM I imagine there may be a request at some point to move it out of the > FedCM spec. But that seems like a bridge we can cross if/when we come to > it. Thank you for putting the extra work in at TPAC to get consensus on > unification with login status. > > And +1 that the WPTs are in place and running where it currently matters, > and it's just the wpt.fyi infra that we're waiting on review for. So I > don't see any need to block on that. > > LGTM1 to ship > > > On Wed, Oct 25, 2023 at 12:17 PM Nicolás Peña <n...@chromium.org> wrote: > >> To add to what Christian mentioned, we do have WPT tests for this feature >> here >> <https://source.chromium.org/chromium/chromium/src/+/main:third_party/blink/web_tests/external/wpt/credential-management/fedcm-login-status/> >> and >> they have been running in Chromium CQ, so it is only WPT.fyi that is >> missing coverage. And we already know that Firefox and Apple have not yet >> implemented FedCM, so at the moment we would not gain any additional >> information from having the tests pass in WPT.fyi. >> >> On Wednesday, October 25, 2023 at 12:11:54 PM UTC-4 blink-dev wrote: >> >>> It seems I may have a reviewer *now*, maybe. It's been very hard to get >>> someone to review this and I don't know if I will be able to get a timely >>> lgtm, so I am hoping that this I2S won't get blocked on this, since this is >>> mostly outside my control. (I don't think past I2S were blocked on wpt >>> tests when the problem was missing infrastructure support) >>> >>> Christian >>> >>> On Wed, Oct 25, 2023 at 12:04 PM Philip Jägenstedt <foo...@chromium.org> >>> wrote: >>> >>>> Hi Christian, >>>> >>>> Do you have a reviewer for >>>> https://github.com/web-platform-tests/wpt/pull/40709 so you can get it >>>> merged? Just like spec changes, tests are ideally merged and showing >>>> results on wpt.fyi before we ship, so that any issues are apparent and can >>>> be addressed. >>>> >>>> Best regards, >>>> Philip >>>> >>>> On Wed, Oct 18, 2023 at 6:54 PM Christian Biesinger < >>>> cbiesin...@chromium.org> wrote: >>>> >>>>> +Ben and Martin from Mozilla -- could you weigh in on whether we >>>>> should create a Mozilla standards position request for this? >>>>> >>>>> Daniel: there is no technical limitation that prevents a non-IDP from >>>>> calling this API, apologies for the unclear phrasing. However, a non-IDP >>>>> (or indeed an IDP that does not use FedCM) will get no benefit from >>>>> calling >>>>> this API. >>>>> >>>>> Christian >>>>> >>>>> On Wed, Oct 18, 2023 at 12:11 PM Daniel Bratell <bratel...@gmail.com> >>>>> wrote: >>>>> >>>>>> Hi, I just have a couple of questions without having read through the >>>>>> intent in detail. >>>>>> >>>>>> You say "Our goal is to open this up to other websites in the >>>>>> future.", but what does that mean? Is there some kind of web site >>>>>> restriction today? >>>>>> >>>>>> Not creating a https://github.com/mozilla/standards-positions/issues >>>>>> entry seems a bit wrong even if someone at Mozilla has said it is not >>>>>> needed. They have in the past specifically wanted us to explicitly use >>>>>> the >>>>>> standards-positions repo rather than relying on negative or positive >>>>>> statements elsewhere. Would it be best to post one just in case? >>>>>> >>>>>> /Daniel >>>>>> On 2023-10-12 21:04, Christian Biesinger wrote: >>>>>> >>>>>> Contact emails >>>>>> >>>>>> cbiesin...@chromium.org >>>>>> >>>>>> >>>>>> Explainer >>>>>> >>>>>> >>>>>> https://github.com/fedidcg/FedCM/blob/main/proposals/idp-sign-in-status-api.md >>>>>> >>>>>> >>>>>> Specification >>>>>> >>>>>> https://github.com/fedidcg/FedCM/pull/436 >>>>>> >>>>>> >>>>>> Summary >>>>>> >>>>>> The Login Status API <https://github.com/fedidcg/login-status> >>>>>> (formerly IdP Sign-in Status API) allows identity providers to signal to >>>>>> the browser when their users are logging-in/out. Our goal is to open this >>>>>> up to other websites in the future. >>>>>> >>>>>> This signal, in this intent, is used by FedCM to address a silent >>>>>> timing attack, and in doing so, allows FedCM to operate without third >>>>>> party >>>>>> cookies altogether. This update would address the last remaining >>>>>> backwards >>>>>> incompatible changes we had previously identified in the original >>>>>> I2S of FedCM >>>>>> <https://groups.google.com/a/chromium.org/g/blink-dev/c/URpYPPH-YQ4/m/E9pgS7GEBAAJ> >>>>>> as part of our scope of work. >>>>>> >>>>>> In the future, we expect that the Login Status API may also be used >>>>>> outside of FedCM (e.g. the Storage Access API >>>>>> <https://github.com/fedidcg/login-status#storage-access-api>) and >>>>>> may be useful for websites that are not identity providers (e.g. >>>>>> extending >>>>>> browser storage >>>>>> <https://github.com/fedidcg/login-status#extending-site-data-storage> >>>>>> ). >>>>>> >>>>>> >>>>>> Blink component >>>>>> >>>>>> Blink>Identity>FedCM >>>>>> <https://bugs.chromium.org/p/chromium/issues/list?q=component:Blink%3EIdentity%3EFedCM> >>>>>> >>>>>> >>>>>> Search tags >>>>>> >>>>>> fedcm <https://chromestatus.com/features#tags:fedcm>, login >>>>>> <https://chromestatus.com/features#tags:login> >>>>>> >>>>>> >>>>>> TAG review >>>>>> >>>>>> https://github.com/w3ctag/design-reviews/issues/884 >>>>>> >>>>>> >>>>>> TAG review status >>>>>> >>>>>> Pending >>>>>> >>>>>> >>>>>> Chromium Trial Name >>>>>> >>>>>> FedCmIdpSigninStatus >>>>>> >>>>>> >>>>>> Link to origin trial feedback summary >>>>>> >>>>>> https://github.com/fedidcg/FedCM/issues/ >>>>>> >>>>>> >>>>>> Origin Trial documentation link >>>>>> >>>>>> >>>>>> https://github.com/fedidcg/FedCM/blob/main/proposals/idp-sign-in-status-api.md >>>>>> >>>>>> https://developer.chrome.com/blog/fedcm-chrome-116-updates/#idp-signin-status >>>>>> >>>>>> >>>>>> Risks Interoperability and Compatibility >>>>>> >>>>>> For interop: >>>>>> >>>>>> This I2S is composed of two different (but interdependent) APIs: The >>>>>> Login Status API and FedCM. >>>>>> >>>>>> With regards to the Login Status API >>>>>> <https://github.com/fedidcg/login-status>, both Firefox and Safari >>>>>> are on board with the general API (breakout notes >>>>>> <https://www.w3.org/2023/09/13-login-status-minutes.html>, follow up >>>>>> notes >>>>>> <https://github.com/fedidcg/meetings/blob/main/2023/2023-09-14-TPAC-notes.md#login-status-api>) >>>>>> . There is an overall agreement on starting from a self-declared status >>>>>> and >>>>>> also some general agreement on where the Login Status API may lead in the >>>>>> future, including having higher assurance levels and applications outside >>>>>> of FedCM. >>>>>> >>>>>> With regards to its use in FedCM, Firefox is generally in agreement >>>>>> with the shape of the solution. Firefox is working on the implementation >>>>>> behind a flag. Safari isn’t shipping FedCM yet. >>>>>> >>>>>> For compat: >>>>>> >>>>>> While this is a backwards incompatible change for FedCM, we are in >>>>>> active conversations with all IdPs that are currently using FedCM (as >>>>>> shown >>>>>> by our UKM metrics) and they are onboard with this change. >>>>>> >>>>>> Gecko: Under consideration (https://github.com/fedidcg/FedCM/pull/436) >>>>>> We have been working with the Firefox team for the last year or so on >>>>>> this >>>>>> API (e.g. TPAC 2022 >>>>>> <https://github.com/fedidcg/FedCM/blob/main/meetings/2022/FedCM_%20Options%20for%20the%20Timing%20Attack%20Problem%20(8_16_2022).pdf>). >>>>>> We generally agree on the shape of the solution and we are working with >>>>>> them to write the spec in a way that allows Chrome and Firefox to >>>>>> implement >>>>>> FedCM in an interoperable way. (Firefox has asked us ( >>>>>> https://github.com/fedidcg/FedCM/issues/431#issuecomment-1425025469) >>>>>> to rely on PR comments instead of filing standards positions for these >>>>>> FedCM extensions) >>>>>> >>>>>> WebKit: Under consideration ( >>>>>> https://github.com/WebKit/standards-positions/issues/250) >>>>>> No signal. Safari has so far shown overall support for FedCM [1], but >>>>>> haven't yet formed a position on this specific extension of FedCM [2]. We >>>>>> are generally in agreement of the API shape using the Login Status API >>>>>> [3], >>>>>> but we haven't yet gotten signals from them on how FedCM, specifically, >>>>>> is >>>>>> going to be using this signal. >>>>>> [1] >>>>>> https://lists.webkit.org/pipermail/webkit-dev/2022-March/032162.html >>>>>> [2] https://github.com/WebKit/standards-positions/issues/250 >>>>>> [3] https://github.com/privacycg/is-logged-in/issues/53 >>>>>> >>>>>> Web developers: Positive ( >>>>>> https://developers.google.com/identity/gsi/web/guides/supported-browsers#third-party_cookies) >>>>>> We have been working with the FedID CG to develop this API and running >>>>>> experiments with the Google Identity Services team. >>>>>> >>>>>> Other signals: >>>>>> Ergonomics >>>>>> >>>>>> This is an API that is designed to be used by identity providers, >>>>>> when their users login in to their websites. We exposed an HTTP header, >>>>>> since we heard from them that logins are often made through 302 >>>>>> redirects. >>>>>> We are also exposing a JS API for IdPs who find it easier to use JS than >>>>>> HTTP headers. We show an error message in devtools when a FedCM request >>>>>> fails because the user is not signed in. >>>>>> WebView application risks >>>>>> >>>>>> Does this intent deprecate or change behavior of existing APIs, such >>>>>> that it has potentially high risk for Android WebView-based applications? >>>>>> >>>>>> n/a, FedCM not supported on Webview >>>>>> Debuggability >>>>>> >>>>>> We show errors in devtools to help with debugging. >>>>>> >>>>>> >>>>>> Will this feature be supported on all six Blink platforms (Windows, >>>>>> Mac, Linux, Chrome OS, Android, and Android WebView)? >>>>>> >>>>>> No >>>>>> FedCM in general is not supported on WebView, but we support this API >>>>>> on all other blink platforms. >>>>>> >>>>>> >>>>>> Is this feature fully tested by web-platform-tests >>>>>> <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md> >>>>>> ? >>>>>> Yes >>>>>> Testing on wpt.fyi is blocked on >>>>>> https://github.com/web-platform-tests/wpt/pull/40709 getting >>>>>> reviewed and merged. Otherwise, we are adding tests that will be in the >>>>>> credential-management/fedcm-login-status directory as shown on the WPT >>>>>> dashboard here: >>>>>> <https://wpt.fyi/results/credential-management?label=master&label=experimental&aligned> >>>>>> https://wpt.fyi/results/credential-management/fedcm-login-status?label=experimental&label=master&aligned >>>>>> >>>>>> >>>>>> DevTrial instructions >>>>>> >>>>>> >>>>>> https://github.com/fedidcg/FedCM/blob/main/explorations/HOWTO-chrome.md#idp-sign-in-status-api >>>>>> >>>>>> >>>>>> Flag name on chrome://flags >>>>>> >>>>>> FedCmIdpSigninStatus >>>>>> >>>>>> >>>>>> Finch feature name >>>>>> >>>>>> FedCmIdpSigninStatus >>>>>> >>>>>> >>>>>> Requires code in //chrome? >>>>>> >>>>>> True >>>>>> >>>>>> >>>>>> Tracking bug >>>>>> >>>>>> https://crbug.com/1451396 >>>>>> >>>>>> >>>>>> Launch bug >>>>>> >>>>>> https://launch.corp.google.com/launch/4280114 >>>>>> >>>>>> >>>>>> Estimated milestones >>>>>> >>>>>> Shipping on desktop >>>>>> >>>>>> 120 >>>>>> >>>>>> OriginTrial desktop last >>>>>> >>>>>> 119 >>>>>> >>>>>> OriginTrial desktop first >>>>>> >>>>>> 116 >>>>>> >>>>>> DevTrial on desktop >>>>>> >>>>>> 115 >>>>>> >>>>>> Shipping on Android >>>>>> >>>>>> 120 >>>>>> >>>>>> OriginTrial Android last >>>>>> >>>>>> 119 >>>>>> >>>>>> OriginTrial Android first >>>>>> >>>>>> 117 >>>>>> >>>>>> Anticipated spec changes >>>>>> >>>>>> Open questions about a feature may be a source of future web compat >>>>>> or interop issues. Please list open issues (e.g. links to known github >>>>>> issues in the project for the feature specification) whose resolution may >>>>>> introduce web compat/interop risk (e.g., changing to naming or structure >>>>>> of >>>>>> the API in a non-backward-compatible way). >>>>>> >>>>>> n/a >>>>>> >>>>>> >>>>>> Link to entry on the Chrome Platform Status >>>>>> >>>>>> https://chromestatus.com/feature/5177628008382464 >>>>>> >>>>>> >>>>>> Links to previous Intent discussions >>>>>> >>>>>> Intent to Experiment: >>>>>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAPTJ0XHJ-LMsCa-PMf1Ft51DCJK1dkzRrFZmRZuzL_Qe2WK2iA%40mail.gmail.com >>>>>> >>>>>> >>>>>> This intent message was generated by Chrome Platform Status >>>>>> <https://chromestatus.com/>. >>>>>> >>>>>> -- >>>>>> You received this message because you are subscribed to the Google >>>>>> Groups "blink-dev" group. >>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>> send an email to blink-dev+unsubscr...@chromium.org. >>>>>> To view this discussion on the web visit >>>>>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAPTJ0XHZQ7dzGGrY%2BNznzTLA3ap1W8EbLJuMGVxV4sk4oFxvHQ%40mail.gmail.com >>>>>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAPTJ0XHZQ7dzGGrY%2BNznzTLA3ap1W8EbLJuMGVxV4sk4oFxvHQ%40mail.gmail.com?utm_medium=email&utm_source=footer> >>>>>> . >>>>>> >>>>>> -- >>>>> You received this message because you are subscribed to the Google >>>>> Groups "blink-dev" group. >>>>> To unsubscribe from this group and stop receiving emails from it, send >>>>> an email to blink-dev+unsubscr...@chromium.org. >>>>> To view this discussion on the web visit >>>>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAPTJ0XHNAms2DKDockc-kEf2WY8u%2BxfjGz966dWoRoh3x%3DbiAw%40mail.gmail.com >>>>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAPTJ0XHNAms2DKDockc-kEf2WY8u%2BxfjGz966dWoRoh3x%3DbiAw%40mail.gmail.com?utm_medium=email&utm_source=footer> >>>>> . >>>>> >>>> -- >> You received this message because you are subscribed to the Google Groups >> "blink-dev" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to blink-dev+unsubscr...@chromium.org. >> To view this discussion on the web visit >> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/1904e559-4318-49e1-af57-69a7038c4fb0n%40chromium.org >> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/1904e559-4318-49e1-af57-69a7038c4fb0n%40chromium.org?utm_medium=email&utm_source=footer> >> . >> > -- > You received this message because you are subscribed to the Google Groups > "blink-dev" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to blink-dev+unsubscr...@chromium.org. > To view this discussion on the web visit > https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAFUtAY_CXDtpQ6EjJ_gL%2BwdQq%2B3RVkUrirKj7x%2BV4nkyb%2BY44g%40mail.gmail.com > <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAFUtAY_CXDtpQ6EjJ_gL%2BwdQq%2B3RVkUrirKj7x%2BV4nkyb%2BY44g%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > > -- > You received this message because you are subscribed to the Google Groups > "blink-dev" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to blink-dev+unsubscr...@chromium.org. > To view this discussion on the web visit > https://groups.google.com/a/chromium.org/d/msgid/blink-dev/35238ddf-93f9-41cf-bf08-01cf62f45feb%40chromium.org > <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/35238ddf-93f9-41cf-bf08-01cf62f45feb%40chromium.org?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAL5BFfW%2BykpyQ-tGzhPLpQWOypyOyQtwrwmMCM_mD6J40icjew%40mail.gmail.com.
