Re: [w3ctag/design-reviews] requestStorageAccessForOrigin (Issue #808) from Johann Hofmann on 2023-03-13 (public-webapps-github@w3.org from March 2023)

From: Johann Hofmann <notifications@github.com>
Date: Mon, 13 Mar 2023 13:14:40 -0700
To: w3ctag/design-reviews <design-reviews@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3ctag/design-reviews/issues/808/1466894370@github.com>

Hi Peter, thanks for your questions.

> I have concerns about the SSO use cases. The goals listed are explicit features of FedCM. I understand that this feature could ship faster than FedCM but adding something new that will need to be maintained and exposes additional complexity, security, and privacy risk just for interim support is generally not a good path forward.

Can you be more specific as to which goals are explicit features of FedCM? I'm not sure I really understand. I think comparing this to FedCM isn't quite apples-to-apples and really depends on the context and use cases we're talking about. It should be noted that FedCM in its current form (which already shipped) doesn't really aim to solve SSO, but federated/social login (though, naturally, we think that the FedCM user experience is a promising model for future attempts at generalizing on more identity flows such as SSO).

> Furthermore, while I understand that some of the cross-site behaviors can be useful to some users, they can get in the way of others. For example, if a user wants to maintain different experiences on different TLDs, for example the same site in different countries, how would they do that?

This is why this proposal exists, in a way. Post cross-site cookies, browser vendors make very different choices about how they may derive permission for sites to share a common user identity. Some browser vendors always prompt users in these situations, e.g. Safari. Firefox and Edge would prompt sometimes but usually auto-grant via their 5-domain heuristic. At Chrome we're still working on our prompt design but we hope to absorb a lot of these prompts into known cross-site user flows that are registered via FPS. This API is compatible with all these choices and other future UX explorations.

So, this question ultimately depends on which browser you're using. In Chrome, the user might disable FPS in their cookie settings, for example. It should be noted that sites may be adding this integration for good reasons and it's not clear whether most users generally have enough technical understanding to know why they would choose to isolate two different top-level sites.

-- 
Reply to this email directly or view it on GitHub:
https://github.com/w3ctag/design-reviews/issues/808#issuecomment-1466894370
You are receiving this because you are subscribed to this thread.

Message ID: <w3ctag/design-reviews/issues/808/1466894370@github.com>

Received on Monday, 13 March 2023 20:14:53 UTC