Re: [w3ctag/design-reviews] Incubation: FedCM: Support showing third-party iframe origins in the UI (Issue #1136) from Ehsan Toreini on 2025-10-23 (public-webapps-github@w3.org from October 2025)

From: Ehsan Toreini <notifications@github.com>
Date: Thu, 23 Oct 2025 05:32:40 -0700
To: w3ctag/design-reviews <design-reviews@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3ctag/design-reviews/issues/1136/3436683780@github.com>

toreini left a comment (w3ctag/design-reviews#1136)

Dear @cbiesinger , @yi-gy, @npm1,

We appreciate your detailed feedback on the proposal. To clarify and address our concerns, we would like to ask the following:

* Attack Surface: The current proposal might increase the potential attack surface and questioned what triggered its recent reconsideration (especially in malicious RP and social engineering attack vectors). You mentioned a few potential attack scenarios in the Privacy and Security section. Could you elaborate on specific attack vectors you foresee when RP is malicious, and what safeguards could be implemented to minimise the risk of malicious developers?

* Example attack (Phishing Scenario): an evil site could exploit the specification to deceive users if the iframe URL is not shown. Consider the following:
* An evil site (`kitten.com`) could feature a button for authentication on `google.com`. However, when the user clicks it, the site loads `gogle.com` (a domain owned by the evil site).
* Following this spec, the user will see `kitten.com` displayed above the iframe, maintaining trust in the authentication process without suspicion.
* It doesn't matter whether the IdP is benign or malicious, or whether the authentication succeeds or fails, because `gogle.com` is already in the permission list of `kitten.com`, and the user has been presented with `kitten.com` on the iframe.

* If the iframe had displayed all three URLs (`gogle.com`,`kitten.com`,`idp.com`), the user could have noticed the discrepancy.

* Incognito Mode Behaviour: I am interested to know about the behaviour of the specification in incognito mode and potential information leakage. Could you clarify how the specification should handle private browsing modes to ensure user privacy and security?

We value your input and look forward to your further insights to refine the proposal and address these critical issues effectively.

--
Reply to this email directly or view it on GitHub:
https://github.com/w3ctag/design-reviews/issues/1136#issuecomment-3436683780
You are receiving this because you are subscribed to this thread.

Message ID: <w3ctag/design-reviews/issues/1136/3436683780@github.com>

Received on Thursday, 23 October 2025 12:32:44 UTC