[whatwg/fetch] Add a way to have cookie origin and CORS origin be different (Issue #1637) from npm1 on 2023-04-20 (public-webapps-github@w3.org from April 2023)

From: npm1 <notifications@github.com>
Date: Thu, 20 Apr 2023 08:34:13 -0700
To: whatwg/fetch <fetch@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/fetch/issues/1637@github.com>

Per https://github.com/fedidcg/FedCM/issues/428#issuecomment-1507543916, the FedCM API would like to have the following properties for its ID assertion fetch:
1. The fetch uses the first-party identity provider cookies: this is needed for all relevant cookies to be available in order for the IDP to know which account to use.
2. The fetch performs a CORS check against the API caller, which is the relying party. The relying party and the identity provider are different origins.

Our understanding is that there is currently no way to have the origin for (1) be different from the origin used for (2). But this seems to be required if we want to add a CORS check to this fetch. Let me know if I'm missing something, or any thoughts/ideas. Thanks!

-- 
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/1637
You are receiving this because you are subscribed to this thread.

Message ID: <whatwg/fetch/issues/1637@github.com>

Received on Thursday, 20 April 2023 15:34:20 UTC