- From: npm1 <notifications@github.com>
- Date: Tue, 12 Mar 2024 12:56:58 -0700
- To: w3ctag/design-reviews <design-reviews@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Tuesday, 12 March 2024 19:57:02 UTC
Hmm ok. But how did the user log in to the site via FedCM? They must have had to login to the IDP. So I suppose the steps are: - Login to IDP - Visit RP and login to RP by using FedCM - Log out of RP only. - Leave the computer for next person to use. So in this case, the next person seeing person A's name and email on the RP can just as easily instead visit the IDP site, where the person A is still logged in(!!!). So UserInfo API is the least of person A's problems, and does not introduce any new information that the stalker cannot learn otherwise. In fact, the stalker has complete access to person A's IDP at this point since they forgot to log out of the IDP, regardless of the UserInfo API. -- Reply to this email directly or view it on GitHub: https://github.com/w3ctag/design-reviews/issues/839#issuecomment-1992453322 You are receiving this because you are subscribed to this thread. Message ID: <w3ctag/design-reviews/issues/839/1992453322@github.com>
Received on Tuesday, 12 March 2024 19:57:02 UTC