Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

FedCM Update #1104

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

FedCM Update #1104

wants to merge 1 commit into from

Conversation

bvandersloot-mozilla
Copy link
Contributor

It's been a couple years. This should be a good update.

@martinthomson is a good person to review and merge!

tantek
tantek requested changes Nov 1, 2024
View reviewed changes
Copy link
Member

@tantek tantek left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I checked the linked issue #618 and didn't see any discussion regarding the change in position from "positive" to "neutral". Could you add a comment there with the updated analysis (or link if elsewhere) that led to the new "neutral" position?

@bvandersloot-mozilla
Copy link
Contributor Author

@tantek: I've added a comment with some updated analysis in #618. I also updated the URL so it doesn't rely on a redirect. It recently published a FPWD in a WG, but has a lot of issues to close before it becomes a CR. Should I leave the org as "Proposal" or update to "W3C"?

tantek
tantek reviewed Nov 1, 2024
View reviewed changes
activities.json
"mozPosition": "positive",
"mozPositionDetail": "Federated login is a widely-used feature on the web with significant user benefits in usability and security. Unfortunately, federated identity on the web relies on the same techniques that are used to track web users. The Federated Credential Management API puts the browser in control of managing cross-site logins. Browsers can use this API as a way to give web users better ability to control and monitor how their identity - and any information related to their identity - is exchanged between sites. Including the browser in a mediating role will adversely affect some cross-site interactions, in some cases making them less efficient or even less usable. However, Mozilla considers it imperative that this change occur so that users can be granted control - and awareness - of all instances where their information is transferred between sites. This proposal provides browsers with the opportunity to provide these capabilities. Note that Mozilla also wants to acknowledge an important privacy compromise in the proposal: identity providers learn when and where the identity they provide is used. Though alternative designs might be technically possible, this approach recognizes the security benefits gained by allowing identity providers the ability to audit logins. Furthermore, though this design enables an authorized identity to track cross-site activity, it only does so with the direct permission and knowledge of users.",
"mozPosition": "neutral",
"mozPositionDetail": "Federated login is a widely-used feature on the web with significant user benefits in usability and security. Unfortunately, federated identity on the web relies on the same techniques that are used to track web users. Federated Credential Management API provides an opportunity to put the browser in control of managing cross-site logins. However, FedCM currently gives too much power to the identity providers it works for and fails to facilitate other identity providers’ flows. The current FedCM API is designed with a lot of consideration for click-through rate optimization, which is a chief concern of social-login providers. One key design choice that has constrained subsequent decisions is that the initial UI rendered in the browser must be able to show the accounts available from the identity provider, facilitating single click account-linking. Mozilla would not render account information across information contexts before the user makes the choice to link those contexts. However, Google currently does, providing a browser-controlled UI that looks very similar to Google Identity Services’ OneTap widget where third-party cookies are already shared. This is evidence of a bug in the specification, not a feature of “engine freedom” to develop innovative UI. We believe the reduced scope of the Lightweight FedCM proposal is much closer to appropriately balancing the interests of developers and users and is much more likely to reach a solution all browsers would implement.",
"mozPositionIssue": 618,
"org": "Proposal",
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
"org": "Proposal",
"org": "W3C",

tantek
tantek requested changes Nov 1, 2024
View reviewed changes
Copy link
Member

@tantek tantek left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes, change org to W3C, and similarly, if you could update the mozPositionDetail with a summary of the comment you made on #618 that would help provide a self-contained update of why we are changing the position to "neutral". Otherwise from an outside perspective it's not obvious (without hunting/clicking) why position changed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tantek tantek tantek requested changes

@martinthomson martinthomson Awaiting requested review from martinthomson

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@bvandersloot-mozilla @tantek