-
Notifications
You must be signed in to change notification settings - Fork 70
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
FedCM Permissions Policy #701
Comments
This seems like a good idea. My initial reaction is that no iframe should have this permission, but then I remembered that some of the NASCAR buttons are in iframes. I assume that is the motivating use case @npm1 ? Any I miss? If we accept that a iframe should have the power to call the API, then we should allow sites to protect themselves and an opt-in mechanism makes sense, especially per-iframe. |
Yea, there are RPs which choose to embed the IDP script on a cross-origin iframe. It is also feasible for there to be use-cases where it is the iframe itself the one that needs authentication, but we don't yet have a concrete partner for that scenario. |
This doesn't quite merit an entry in the standards-position dashboard, but we do agree that it is a positive change. To reflect that, we will label the issue as positive and close it without a PR. Thanks! |
Request for Mozilla Position on an Emerging Web Specification
Other information
The FedCM API position was marked positive here. This request is specifically about the addition of a permissions policy so that a main frame grants permission to an iframe to invoke the FedCM API.
The text was updated successfully, but these errors were encountered: