Skip to content

Commit

Permalink
feedback
Browse files Browse the repository at this point in the history
  • Loading branch information
npm1 committed Sep 18, 2024
1 parent b365649 commit 69fdf09
Showing 1 changed file with 6 additions and 8 deletions.
14 changes: 6 additions & 8 deletions spec/index.bs
Original file line number Diff line number Diff line change
Expand Up @@ -330,13 +330,11 @@ const credential = await navigator.credentials.get({
```
</div>

For fetches that are sent with cookies, unpartitioned cookies are included,
as if the resource was loaded as a same-origin request, e.g.
regardless of the
[SameSite](https://httpwg.org/http-extensions/draft-ietf-httpbis-rfc6265bis.html#name-the-samesite-attribute-2)
value (which is used when a resource loaded as a third-party, not first-party). This makes it easy
for an [=IDP=] to adopt the FedCM API. It doesn't introduce security issues on the API because the
[=RP=] cannot inspect the results from the fetches in any way.
For fetches that are sent with cookies, unpartitioned
[SameSite](https://httpwg.org/http-extensions/draft-ietf-httpbis-rfc6265bis.html#name-the-samesite-attribute-2)=None
cookies are included. This makes it easy for an [=IDP=] to adopt the FedCM API. It doesn't introduce
security issues on the API because the [=RP=] cannot inspect the results from the fetches on its
own (e.g. the browser mediates what the [=RP=] can receive).

<!-- ============================================================ -->
## The connected accounts set ## {#browser-connected-accounts-set}
Expand Down Expand Up @@ -1111,7 +1109,7 @@ returns an {{IdentityProviderAccountList}}.
with [=request/mode=] set to "user-agent-no-cors". See the relevant
[pull request](https://github.com/whatwg/fetch/pull/1533) for details.

Note: This fetch should only send Same-Site None cookies. Specifying this will require cookie layering.
Note: This fetch should only send Same-Site=None cookies. Specifying this will require cookie layering.

1. Let |accountsList| be null.
1. [=Fetch request=] with |request| and |globalObject|, and with <var ignore>processResponseConsumeBody</var>
Expand Down

0 comments on commit 69fdf09

Please sign in to comment.