LGTM2 On Wednesday, November 20, 2024 at 3:23:26 AM UTC+1 Domenic Denicola wrote:
> LGTM1. > > Note that "consensus in the WG" and "stage 2" are not terribly meaningful > signals for the API owners. (Or at least, for me, when trying to fulfill my > API owner duties.) We need to judge whether the specification proposed > meets the requirements of the Blink process > <https://www.chromium.org/blink/launching-features/#new-feature-prepare-to-ship>, > > which includes features like: is sufficiently detailed that a second > implementation could implement; does not have any outstanding significant > feedback or open issues; has received sufficient review; etc. In this > particular case, until recently there was an outstanding negative review > from a Gecko representative, so I wanted to delay LGTMing until that was > cleared (which now it is). > > Hopefully this perspective is helpful for future feature work, and I'm > glad to hear the WG is working on streamlining the process to make this > smoother for you all. > > On Friday, November 15, 2024 at 12:11:28 AM UTC+9 Yi Gu wrote: > >> Hi Chris, >> >> Similar to the other I2S >> <https://groups.google.com/a/chromium.org/g/blink-dev/c/4arGqVW6V_Y?e=48417069>, >> >> our team is working with the FedID Working Group for standard work. At TPAC >> the proposals got the approval >> <https://github.com/w3c-fedid/active-mode/issues/2#issuecomment-2379788096> >> to >> advance to stage 2 >> <https://github.com/w3c-fedid/Administration/blob/main/proposals-CG-WG.md#stage-2-formalization>. >> Since >> then we brought the spec PRs to the WG calls a couple of times and people >> are generally aligned. Since the WG is newly formed this year, the chairs >> and members are collaborating to streamline procedures such as merging spec >> PRs and we are in the middle of the process. >> >> Yi >> >> >> >> On Wed, Nov 13, 2024 at 11:27 AM Chris Harrelson <chris...@chromium.org> >> wrote: >> >>> >>> >>> On Thu, Nov 7, 2024 at 2:37 PM Zachary Tan <tanzach...@chromium.org> >>> wrote: >>> >>>> Contact emails >>>> >>>> y...@chromium.org, tanzach...@chromium.org, cbiesin...@chromium.org >>>> >>>> Explainer >>>> >>>> https://github.com/w3c-fedid/active-mode >>>> >>>> Specification >>>> >>>> Spec PR for the Mode API: https://github.com/w3c-fedid/FedCM/pull/660 >>>> >>>> Spec PR for the Use Another Account API: >>>> https://github.com/w3c-fedid/FedCM/pull/678 >>>> >>> >>> These spec PRs are still open, is there something blocking finishing and >>> landing them? >>> >>> >>>> Summary >>>> >>>> We intend to ship two new extensions for FedCM to address two issue >>>> that were collectively identified as CR blockers >>>> <https://github.com/w3c-fedid/FedCM/wiki/Status-of-FPWD%E2%80%90identified-Issues> >>>> by >>>> the FedID WG: “A not-yet logged in IDP has no route to success” >>>> <https://github.com/w3c-fedid/active-mode/issues/2> and “Allow signing >>>> in to additional account(s) >>>> <https://github.com/w3c-fedid/FedCM/issues/511>”. >>>> >>>> To address this issue, we intend to introduce the following extensions >>>> to FedCM: >>>> >>>> - Mode: The “active” mode allows websites to call FedCM inside a button >>>> click (e.g. clicking on a “Sign-in to IdP” button), which requires FedCM >>>> to >>>> guarantee it will always respond with a visible user interface (as opposed >>>> to in “passive” mode, which doesn’t show any UI when users are logged >>>> out). >>>> So, calling the FedCM API in “active mode” takes users to login to the >>>> Identity Provider (IdP) when users are logged-out. Also, because the >>>> active >>>> mode is called within an explicit user gesture, the UI is also more >>>> prominent (e.g. centered and modal) compared to the UI from the passive >>>> mode (which doesn’t require a user gesture requirement and can be called >>>> on >>>> page load). >>>> >>>> - Use Other Account: With this extension, an IdP can allow users to >>>> sign in to other accounts. >>>> >>>> In addition, the APIs are solving two related CR blockers >>>> <https://github.com/w3c-fedid/FedCM/wiki/Status-of-FPWD%E2%80%90identified-Issues> >>>> identified >>>> <https://lists.w3.org/Archives/Public/public-fedid-wg/2024Jul/0006.html> >>>> by >>>> the FedID WG. >>>> >>>> Feedback from Origin Trial: >>>> >>>> We ran the Origin Trial >>>> <https://developer.chrome.com/origintrials/#/view_trial/2288391560657633281> >>>> with >>>> 30+ registrants. The feedback we got was positive. >>>> >>>> From the extension’s perspective, this proposal is sufficient >>>> <https://github.com/w3c-fedid/active-mode/issues/2#issuecomment-2341644914> >>>> to assist the users who are not signed in to their IdP when FedCM >>>> extension is invoked. We also renamed the extension from “button” mode to >>>> “active” mode to untie from certain UI affordances which was well >>>> received >>>> <https://github.com/w3c-fedid/FedCM/pull/660#issuecomment-2414525421> by >>>> partners as well. >>>> >>>> From UX’s perspective, we have been iterating on the Chrome >>>> implementation based on feedback to address potential usability issues and >>>> provide users better context about their login. >>>> >>>> Blink component >>>> >>>> Blink>Identity>FedCM >>>> <https://bugs.chromium.org/p/chromium/issues/list?q=component:Blink%3EIdentity%3EFedCM> >>>> >>>> Search tags >>>> >>>> fedcm <https://chromestatus.com/features#tags:fedcm> >>>> >>>> TAG review >>>> >>>> https://github.com/w3ctag/design-reviews/issues/935 >>>> >>>> TAG review status >>>> >>>> Pending >>>> >>>> Chromium Trial Name >>>> >>>> FedCmButtonMode, FedCmUseOtherAccount >>>> >>>> Origin Trial documentation link >>>> >>>> >>>> https://developers.google.com/privacy-sandbox/blog/fedcm-chrome-125-updates#button-mode-api >>>> >>>> WebFeature UseCounter name >>>> >>>> kFedCmButtonMode, kFedCmUseOtherAccount >>>> >>>> Risks >>>> Interoperability and Compatibility >>>> >>>> Gecko: Not filing a standards position request for small additions at >>>> the explicit request from Firefox (they prefer PRs). Positive on the >>>> “active” mode based on TPAC discussions and GitHub issues >>>> <https://github.com/w3c-fedid/active-mode/issues/2#issuecomment-2341644914> >>>> . >>>> >>>> WebKit: No signal on the particular FedCM extensions. Positive >>>> <https://github.com/WebKit/standards-positions/issues/309#issuecomment-2008324563> >>>> on >>>> the initial FedCM API. Standards position requests for FedCM extensions >>>> have been merged >>>> <https://github.com/WebKit/standards-positions/issues/309> so not >>>> filing a new one. >>>> >>>> Web developers: Positive <https://github.com/fedidcg/FedCM/issues/442> >>>> These >>>> features are being developed to address existing feedback for the FedCM >>>> API. >>>> >>>> Other signals: N/A >>>> >>>> Activation >>>> Similar to the FedCM API, we deliberately leave the bulk of the work to >>>> the IdP to ensure that minimal RP change is needed. >>>> >>>> This feature, specifically, is one that can be currently controlled by >>>> JS SDKs, so we expect activation to have a similar profile as FedCM: >>>> immediately enabled to websites (without redeployment) by IdPs making use >>>> of it (by redeploying their JS SDKs). >>>> >>>> Security >>>> >>>> The active mode shares all of the security properties from the passive >>>> mode. e.g. honoring CSP, CORS, using security headers, not asking users to >>>> type in the browser UI etc. >>>> >>>> It’s worth noting that the pop-up window has the same web platform >>>> properties as what one would get with >>>> window.open(url,””,”popup,noopener,noreferrer”)) that loads the login_url. >>>> There's no communication between the website and this pop-up is allowed >>>> (e.g. no postMessage, no window.opener). >>>> >>>> WebView application risks >>>> >>>> Does this intent deprecate or change behavior of existing APIs, such >>>> that it has potentially high risk for Android WebView-based applications? >>>> >>>> None >>>> >>>> Debuggability >>>> >>>> Same as FedCM in general – console messages in devtools and general JS >>>> debugging. e.g. we show messages when transient activation is missing when >>>> invoking an active mode, or when a passive flow is terminated in favor of >>>> an active flow etc. >>>> >>>> Will this feature be supported on all six Blink platforms (Windows, >>>> Mac, Linux, ChromeOS, Android, and Android WebView)? >>>> >>>> No, FedCM API is not available in WebView >>>> >>>> Is this feature fully tested by web-platform-tests >>>> <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md> >>>> ? >>>> >>>> Yes >>>> <https://wpt.fyi/results/fedcm/fedcm-button-and-other-account?label=master&label=experimental&aligned&q=fedcm%2Ffedcm-button-and-other-account%2F> >>>> >>>> Flag name on chrome://flags >>>> >>>> FedCmButtonMode, FedCmUseOtherAccount >>>> >>>> Finch feature name >>>> >>>> FedCmButtonMode, FedCmUseOtherAccount >>>> >>>> Requires code in //chrome? >>>> >>>> True >>>> >>>> Tracking bug >>>> >>>> https://crbug.com/1490588, https://crbug.com/40939658 >>>> >>>> Launch bug >>>> >>>> https://launch.corp.google.com/launch/4348674 >>>> >>>> Sample links >>>> >>>> https://fedcm-button.glitch.me >>>> >>>> Estimated milestones >>>> >>>> Shipping on desktop >>>> >>>> 132 >>>> >>>> Origin trial desktop first >>>> >>>> 125 >>>> >>>> Origin trial desktop last >>>> >>>> 133 >>>> >>>> Origin trial extension 1 end milestone >>>> >>>> 130 >>>> >>>> Origin trial extension 2 end milestone >>>> >>>> 133 >>>> >>>> DevTrial on desktop >>>> >>>> 124 >>>> >>>> Shipping on Android >>>> >>>> 132 >>>> >>>> Origin trial Android first >>>> >>>> 128 >>>> >>>> Origin trial Android last >>>> >>>> 133 >>>> >>>> DevTrial on Android >>>> >>>> 125 >>>> >>>> >>>> Anticipated spec changes >>>> >>>> Open questions about a feature may be a source of future web compat or >>>> interop issues. Please list open issues (e.g. links to known github issues >>>> in the project for the feature specification) whose resolution may >>>> introduce web compat/interop risk (e.g., changing to naming or structure >>>> of >>>> the API in a non-backward-compatible way). >>>> >>>> None >>>> >>>> Link to entry on the Chrome Platform Status >>>> >>>> https://chromestatus.com/feature/4689551782313984?gate=4942283999019008 >>>> >>>> Links to previous Intent discussions >>>> >>>> Intent to Prototype: >>>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CACh2XCPzJ1beiSbsmQqvu9x24zmf6LkGuup%3DgPVyXEx%2Bux9%3Dyg%40mail.gmail.com >>>> >>>> Intent to Experiment: >>>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/1745ebe7-6c98-49c7-9d98-94b25d39b409n%40chromium.org >>>> >>>> Intent to Extend Experiment 1: >>>> https://groups.google.com/a/chromium.org/g/blink-dev/c/bQqXXv2S9q0/m/yHvhuFL3AQAJ >>>> Intent to Extend Experiment 2: >>>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CACh2XCMPQ9s2hUR2UYuTTkRDra0qfjxBXA0bOme2baQGbPE6NA%40mail.gmail.com >>>> >>>> -- >>>> You received this message because you are subscribed to the Google >>>> Groups "blink-dev" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to blink-dev+unsubscr...@chromium.org. >>>> To view this discussion visit >>>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAK9HhFkgmbC_UG8G5yYguB609UZY%3DV66qrJrVor3PdStbadY6g%40mail.gmail.com >>>> >>>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAK9HhFkgmbC_UG8G5yYguB609UZY%3DV66qrJrVor3PdStbadY6g%40mail.gmail.com?utm_medium=email&utm_source=footer> >>>> . >>>> >>> -- >>> >> You received this message because you are subscribed to the Google Groups >>> "web-identity-core" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to web-identity-core+unsubscr...@google.com. >>> To view this discussion visit >>> https://groups.google.com/a/google.com/d/msgid/web-identity-core/CAOMQ%2Bw90Jj7RBzmjrrQFD274KthUpLLQ5u_XxvOxYHECzquxQQ%40mail.gmail.com >>> >>> <https://groups.google.com/a/google.com/d/msgid/web-identity-core/CAOMQ%2Bw90Jj7RBzmjrrQFD274KthUpLLQ5u_XxvOxYHECzquxQQ%40mail.gmail.com?utm_medium=email&utm_source=footer> >>> . >>> For more options, visit https://groups.google.com/a/google.com/d/optout. >>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "web-identity-xfn" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to web-identity-xfn+unsubscr...@google.com. >>> To view this discussion visit >>> https://groups.google.com/a/google.com/d/msgid/web-identity-xfn/CAOMQ%2Bw90Jj7RBzmjrrQFD274KthUpLLQ5u_XxvOxYHECzquxQQ%40mail.gmail.com >>> >>> <https://groups.google.com/a/google.com/d/msgid/web-identity-xfn/CAOMQ%2Bw90Jj7RBzmjrrQFD274KthUpLLQ5u_XxvOxYHECzquxQQ%40mail.gmail.com?utm_medium=email&utm_source=footer> >>> . >>> For more options, visit https://groups.google.com/a/google.com/d/optout. >>> >> -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/6ea206af-6cf5-4b3f-bbda-f02bed7647b0n%40chromium.org.
