[FedCM] Allow setting login status from a same-site request

This relaxes the same-origin requirement to same-site for processing the login status header. This is useful for IDPs who process IDP logins on a different host than the FedCM endpoint. This is behind a default-enabled flag so we can easily disable this in case of issues. The virtual test suite explicitly enables the flag so that the test will keep working in case the flag has to be turned off. Approved by Security & Privacy in https://docs.google.com/document/d/1vZiEh4Q45gleW0lmtfgxMflqarMkcTk0Itwoo6724Vo/edit?resourcekey=0-WjqaM1SrhAoFbhmGNyyyJA&tab=t.0 Bug: 1516640 Change-Id: I8825e66b43d7d3a6fae7db2447281502fb8015c9 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5207174 Reviewed-by: John Abd-El-Malek <[email protected]> Commit-Queue: Christian Biesinger <[email protected]> Reviewed-by: Yi Gu <[email protected]> Reviewed-by: Robert Flack <[email protected]> Cr-Commit-Position: refs/heads/main@{#1249349}
web-platform-tests · Jan 19, 2024 · 1e3137a · 1e3137a
1 parent b8bca44
commit 1e3137a
Show file tree

Hide file tree

Showing 2 changed files with 30 additions and 23 deletions.
diff --git a/credential-management/fedcm-login-status/cross-origin-status.https.html b/credential-management/fedcm-login-status/cross-origin-status.https.html
@@ -9,15 +9,35 @@
 <script type="module">
 import {fedcm_test,
         alt_manifest_origin,
+        same_site_manifest_origin,
+        set_fedcm_cookie,
+        select_manifest,
+        request_options_with_mediation_required,
         alt_request_options_with_mediation_required,
+        fedcm_get_and_select_first_account,
         open_and_wait_for_popup,
         mark_signed_out} from '../support/fedcm-helper.sub.js';
 
-const url_prefix = alt_manifest_origin + '/credential-management/support/';
+const path = '/credential-management/support/'
+const url_prefix = alt_manifest_origin + path;
+const same_site_url_prefix = same_site_manifest_origin + path;
+
+fedcm_test(async t => {
+  await set_fedcm_cookie(same_site_manifest_origin);
+  await mark_signed_out(same_site_manifest_origin);
+  // The header should be processed successfully because it is same-site.
+  const fetch_result = await fetch(same_site_url_prefix + "mark_signedin");
+  assert_true(fetch_result.ok);
+
+  const config = request_options_with_mediation_required(undefined, same_site_manifest_origin);
+  await select_manifest(t, config);
+  const cred = await fedcm_get_and_select_first_account(t, config);
+  assert_equals(cred.token, "token");
+}, 'Cross-origin same-site status header should work from fetch()');
 
 fedcm_test(async t => {
   await mark_signed_out(alt_manifest_origin);
-  // The header should be ignored because it's a cross-origin fetch.
+  // The header should be ignored because it's a cross-site fetch.
   const fetch_result = await fetch(url_prefix + "mark_signedin");
   assert_true(fetch_result.ok);
 
@@ -28,7 +48,7 @@
 
 fedcm_test(async t => {
   await mark_signed_out(alt_manifest_origin);
-  // The header should be ignored because it's a cross-origin iframe.
+  // The header should be ignored because it's a cross-site iframe.
   let iframe = document.createElement("iframe");
   let iframe_load = new Promise(resolve => {iframe.onload = resolve;});
   iframe.src = url_prefix + "mark_signedin";
@@ -38,11 +58,11 @@
   const config = alt_request_options_with_mediation_required();
   const result = navigator.credentials.get(config);
   return promise_rejects_dom(t, 'NetworkError', result);
-}, 'Status header should be ignored from cross-origin iframe');
+}, 'Status header should be ignored from cross-site iframe');
 
 fedcm_test(async t => {
   await mark_signed_out(alt_manifest_origin);
-  // The header in the subresource should be ignored because the iframe is cross-origin.
+  // The header in the subresource should be ignored because the iframe is cross-site.
   let iframe = document.createElement("iframe");
   let iframe_load = new Promise(resolve => {iframe.onload = resolve;});
   iframe.src = url_prefix + "iframe-mark-signedin.html";
@@ -52,7 +72,7 @@
   const config = alt_request_options_with_mediation_required();
   const result = navigator.credentials.get(config);
   return promise_rejects_dom(t, 'NetworkError', result);
-}, 'Status header should be ignored from cross-origin iframe that contains a subresource with the header');
+}, 'Status header should be ignored from cross-site iframe that contains a subresource with the header');
 
 fedcm_test(async t => {
   await mark_signed_out(alt_manifest_origin);

diff --git a/credential-management/support/fedcm-helper.sub.js b/credential-management/support/fedcm-helper.sub.js
@@ -1,5 +1,6 @@
 export const manifest_origin = "https://{{host}}:{{ports[https][0]}}";
 export const alt_manifest_origin = 'https://{{hosts[alt][]}}:{{ports[https][0]}}';
+export const same_site_manifest_origin = 'https://{{hosts[][www1]}}:{{ports[https][0]}}';
 
 export function open_and_wait_for_popup(origin, path) {
   return new Promise(resolve => {
@@ -43,11 +44,11 @@ export function mark_signed_out(origin = manifest_origin) {
 
 // Returns FedCM CredentialRequestOptions for which navigator.credentials.get()
 // succeeds.
-export function request_options_with_mediation_required(manifest_filename) {
+export function request_options_with_mediation_required(manifest_filename, origin = manifest_origin) {
   if (manifest_filename === undefined) {
     manifest_filename = "manifest.py";
   }
-  const manifest_path = `${manifest_origin}/\
+  const manifest_path = `${origin}/\
 credential-management/support/fedcm/${manifest_filename}`;
   return {
     identity: {
@@ -64,21 +65,7 @@ credential-management/support/fedcm/${manifest_filename}`;
 // Returns alternate FedCM CredentialRequestOptions for which navigator.credentials.get()
 // succeeds.
 export function alt_request_options_with_mediation_required(manifest_filename) {
-  if (manifest_filename === undefined) {
-    manifest_filename = "manifest.py";
-  }
-  const manifest_path = `${alt_manifest_origin}/\
-credential-management/support/fedcm/${manifest_filename}`;
-  return {
-    identity: {
-      providers: [{
-        configURL: manifest_path,
-        clientId: '1',
-        nonce: '2'
-      }]
-    },
-    mediation: 'required'
-  };
+  return request_options_with_mediation_required(manifest_filename, alt_manifest_origin);
 }
 
 // Returns FedCM CredentialRequestOptions with auto re-authentication.