We have recently shipped <https://chromestatus.com/feature/5177628008382464> the login status API to let identity providers (IdPs) (and, technically, other websites) tell Chrome when a user is logging in to or logging out from the website.
We previously only allowed setting the login status on toplevel loads or for subresources which are same-origin with all their ancestors, both when using the JavaScript API and when using the HTTP header. As described here <https://github.com/fedidcg/FedCM/issues/537>, we now also allow same-site (same eTLD+1) subresources to set a login status (for the origin of the subresource). This is useful for IdPs where the IdP login happens on one subdomain, but the FedCM endpoint is on a different subdomain. To make sure that FedCM works correctly, the login status needs to be set on the FedCM subdomain. The change has been approved by the Chrome Web Platform security and privacy teams and will ship in Chrome 122. Spec change: https://github.com/fedidcg/FedCM/pull/538 WPT tests added in https://chromium-review.googlesource.com/c/chromium/src/+/5207174 -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAPTJ0XHOLmKkgNtmySMj65%3D%3DAJ8HwkWkHHuarC_n2EcahYycAg%40mail.gmail.com.