Re: [w3ctag/design-reviews] Early Design Review: Lightweight FedCM (Issue #986) from Johann Hofmann on 2024-09-17 (public-webapps-github@w3.org from September 2024)

From: Johann Hofmann <notifications@github.com>
Date: Tue, 17 Sep 2024 11:06:54 -0700
To: w3ctag/design-reviews <design-reviews@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3ctag/design-reviews/issues/986/2356583753@github.com>

> Another opposite TAG preference also appeared in the discussion: the lightweight API makes it more trivial to join identities (because it assumes granting storage access), and perhaps it's worth having a heavier API with purpose-built features for each use case, in order to impose speed bumps on that identity joining.

This is a common misconception about FedCM / SAA autogranting and it's simply objectively not true. FedCM mediates a unique high-entropy user identifier, which means there's no difference to 3PC access (this is why it has a prompt).

We discuss the privacy implications of the autogrant in extensive detail [here](https://github.com/explainers-by-googlers/storage-access-for-fedcm?tab=readme-ov-file#rp-control-over-idp-storage-access), but happy to chat about this in more detail if needed.

-- 
Reply to this email directly or view it on GitHub:
https://github.com/w3ctag/design-reviews/issues/986#issuecomment-2356583753
You are receiving this because you are subscribed to this thread.

Message ID: <w3ctag/design-reviews/issues/986/2356583753@github.com>

Received on Tuesday, 17 September 2024 18:06:58 UTC