Re: [w3ctag/design-reviews] TAG review request for the IDP signin status API (Issue #884) from Christian Biesinger on 2023-08-23 (public-webapps-github@w3.org from August 2023)

From: Christian Biesinger <notifications@github.com>
Date: Wed, 23 Aug 2023 14:51:15 -0700
To: w3ctag/design-reviews <design-reviews@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3ctag/design-reviews/issues/884/1690692862@github.com>

I should have mentioned in the initial request:

We (Chrome) think that this proposal in combination with measuring user metrics is sufficient to address the timing attack. We are tracking per-RP and per-IDP metrics to detect abusive IDPs; combined with this proposal (which shows a dialog when a credentialed requested was made) solves the silent timing attack problem and makes the "loud" timing attack impractical.

We understand that other browsers have different privacy tradeoffs and have (tried to) write the spec such that they can gate FedCM requests on user interaction before credentialed requests are sent.

-- 
Reply to this email directly or view it on GitHub:
https://github.com/w3ctag/design-reviews/issues/884#issuecomment-1690692862
You are receiving this because you are subscribed to this thread.

Message ID: <w3ctag/design-reviews/issues/884/1690692862@github.com>

Received on Wednesday, 23 August 2023 21:51:21 UTC