LGTM3 On Saturday, October 25, 2025 at 4:56:13 PM UTC+2 Mike Taylor wrote:
> I see, thanks. Marking them as extensions totally makes sense, but doing > that inside of spec Issues is perhaps confusing (and makes their normative > status unclear, but they're all optional I guess?). That said, that's up to > the WG and spec editor to solve, not me. :) > > LGTM2 > On 10/24/25 4:49 p.m., Nicolás Peña Moreno wrote: > > Yes, the extension is meant to specify optional functionality because > Firefox did not want the client metadata endpoint and other parts of FedCM > to belong to the main specification. Our current workaround is to add them > to the specs as 'extensions,' although we want to move them to a separate > 'extensions specification' later. > > On Fri, Oct 24, 2025 at 10:36 AM Mike Taylor <[email protected]> > wrote: > >> On 10/17/25 10:41 a.m., suresh potti wrote: >> >> Specification >> >> https://github.com/w3c-fedid/FedCM/pull/760 >> >> I have a question about how this is specified - it seems like normative >> requirements (for all extensions) are captured as issues in the spec. I >> don't really know how to think about that, i.e., >> https://w3c-fedid.github.io/FedCM/#issue-81964997, >> https://w3c-fedid.github.io/FedCM/#idp-api-client-id-metadata-endpoint, >> etc. >> >> How is that different than other more traditional issues (i.e., "there's >> a known problem we need to fix) like >> https://w3c-fedid.github.io/FedCM/#issue-7ded5c77? Is the plan to >> eventually promote those to normative text, or non-normative Notes (if all >> extensions are optional?) >> >> I think I know what an extension is in this context (presumably some >> optional functionality), but it's also not defined anywhere. >> >> Summary To address cross-site identity correlation risks in the FedCM >> API, Identity Providers (IdPs) that utilize client_metadata within their >> FedCM configuration are required to implement the direct endpoints format >> in the .well-known/web-identity file. This mandate ensures that both >> accounts_endpoint and login_url are explicitly defined whenever a >> client_metadata_endpoint is present. This approach strengthens privacy >> protections by preventing relying parties from exploiting metadata to >> correlate user identities across multiple sites. For further details and >> discussion, refer to https://github.com/w3c-fedid/FedCM/issues/700. >> >> -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/e3e5d62b-7294-4a51-a83f-49751e73c9e4n%40chromium.org.
