Skip to content

Commit

Permalink
skip fetch if same-site
Browse files Browse the repository at this point in the history
  • Loading branch information
@cbiesinger
cbiesinger committed Oct 30, 2024
1 parent 6d44639 commit 6183adb
Showing 1 changed file with 52 additions and 47 deletions.
99 changes: 52 additions & 47 deletions spec/index.bs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -931,47 +931,55 @@ or failure.
1. Set |rootUrl|'s [=url/host=] to |configUrl|'s [=url/host=]'s [=host/registrable domain=].
1. Set |rootUrl|'s [=url/path=] to the <a>list</a> «".well-known", "web-identity"».
1. Let |config|, |discovery|, |accounts_url|, and |login_url| be null.
1. Let |skipWellKnown| be false.
1. Let |rpOrigin| be |globalObject|'s [=associated Document=]'s [=Document/origin=].
1. Let |wellKnownRequest| be a new [=/request=] as follows:

: [=request/URL=]
:: |rootUrl|
: [=request/client=]
:: null
: [=request/window=]
:: "no-window"
: [=request/service-workers mode=]
:: "none"
: [=request/destination=]
:: "webidentity"
: [=request/origin=]
:: a unique [=opaque origin=]
: [=request/header list=]
:: a [=list=] containing a single [=header=] with [=header/name=] set to `Accept` and
[=header/value=] set to `application/json`
: [=request/referrer policy=]
:: "no-referrer"
: [=request/credentials mode=]
:: "omit"
: [=request/mode=]
:: "no-cors"

Issue: The spec is yet to be updated so that all <a spec=fetch for=/>requests</a> are created
with [=request/mode=] set to "user-agent-no-cors". See the relevant
[pull request](https://github.com/whatwg/fetch/pull/1533) for details.

1. [=Fetch request=] with |wellKnownRequest| and |globalObject|, and with <var ignore>processResponseConsumeBody</var>
set to the following steps, given a <a spec=fetch for=/>response</a> |response| and |responseBody|:
1. Let |json| be the result of [=extract the JSON fetch response=] from |response| and
|responseBody|.
1. Set |discovery| to the result of [=converted to an IDL value|converting=] |json|
to an {{IdentityProviderWellKnown}}.
1. If one of the previous two steps threw an exception, or if the
[=list/size=] of |discovery|["{{IdentityProviderWellKnown/provider_urls}}"] is
greater than 1, set |discovery| to failure.
1. If |rpOrigin| is not an [=opaque origin=], and |rootUrl|'s [=url/host=] is equal
to |rpOrigin|'s [=host/registrable domain=], and |rootUrl|'s [=url/scheme=] is
equal to |rpOrigin|'s [=origin/scheme=], set |skipWellKnown| to true.

Issue: [relax](https://github.com/fedidcg/FedCM/issues/333) the size of the
provider_urls array.
Note: Because domain cookies are valid across an entire site, there is no privacy
benefit from doing the well-known check if the RP and IDP are in the same site.
1. Otherwise:
1. Let |wellKnownRequest| be a new [=/request=] as follows:

: [=request/URL=]
:: |rootUrl|
: [=request/client=]
:: null
: [=request/window=]
:: "no-window"
: [=request/service-workers mode=]
:: "none"
: [=request/destination=]
:: "webidentity"
: [=request/origin=]
:: a unique [=opaque origin=]
: [=request/header list=]
:: a [=list=] containing a single [=header=] with [=header/name=] set to `Accept` and
[=header/value=] set to `application/json`
: [=request/referrer policy=]
:: "no-referrer"
: [=request/credentials mode=]
:: "omit"
: [=request/mode=]
:: "no-cors"

Issue: The spec is yet to be updated so that all <a spec=fetch for=/>requests</a> are created
with [=request/mode=] set to "user-agent-no-cors". See the relevant
[pull request](https://github.com/whatwg/fetch/pull/1533) for details.

1. [=Fetch request=] with |wellKnownRequest| and |globalObject|, and with <var ignore>processResponseConsumeBody</var>
set to the following steps, given a <a spec=fetch for=/>response</a> |response| and |responseBody|:
1. Let |json| be the result of [=extract the JSON fetch response=] from |response| and
|responseBody|.
1. Set |discovery| to the result of [=converted to an IDL value|converting=] |json|
to an {{IdentityProviderWellKnown}}.
1. If one of the previous two steps threw an exception, or if the
[=list/size=] of |discovery|["{{IdentityProviderWellKnown/provider_urls}}"] is
greater than 1, set |discovery| to failure.

Issue: [relax](https://github.com/fedidcg/FedCM/issues/333) the size of the
provider_urls array.

1. Let |configRequest| be a new <a spec=fetch for=/>request</a> as follows:

Expand Down Expand Up @@ -1015,14 +1023,11 @@ or failure.
1. Set |accounts_url| to the result of [=computing the manifest URL=] with |provider|,
|config|.{{IdentityProviderAPIConfig/accounts_endpoint}}, and |globalObject|.
1. If |login_url| or |accounts_url| is failure, set |config| to failure.
1. Wait for both |config| and |discovery| to be set.
1. If |discovery| or |config| is failure, return failure.
1. If |rpOrigin| is not an [=opaque origin=], and |rootUrl|'s [=url/host=] is equal
to |rpOrigin|'s [=host/registrable domain=], and |rootUrl|'s [=url/scheme=] is
equal to |rpOrigin|'s [=origin/scheme=], return |config|.

Note: Because domain cookies are valid across an entire site, there is no privacy
benefit from doing the well-known check if the RP and IDP are in the same site.
1. Wait for |config| to be set.
1. If |config| is failure, return failure.
1. If |skipWellKnown| is true, return |config|.
1. Wait for |discovery| to be set.
1. If |discovery| is failure, return failure.
1. If |discovery|.{{IdentityProviderWellKnown/accounts_endpoint}} and
|discovery|.{{IdentityProviderWellKnown/login_url}} are set:
1. Let |well_known_accounts_url| be the result of [=computing the manifest URL=] with
Expand Down

0 comments on commit 6183adb

Please sign in to comment.