Re: [w3ctag/design-reviews] Incubation: FedCM: Support showing third-party iframe origins in the UI (Issue #1136)

toreini left a comment (w3ctag/design-reviews#1136)

Dear @cbiesinger ,

Thanks for the response. Let me clarify my comments better:

1) Can you please point us to the concern that triggered reconsidering this proposal now? The spec you submitted as explainer (which is in fact a comment in an issue) was written almost 3 years ago. Can you please point me to any meeting note/discussion so I can have better insight?

2) As this is UI spec, I am not concerned about other potential attack scenarios but I think all three urls should be shown in the fedcm dialogue and replacing/removing any can be exploited if the RP is malicious. I am not trying to prove my proposed attack scenario is serious or not. I am asking is it possible?

 > If `kittens.com` (top origin) conspires with `gogle.com`(as an iframe origin), then replacing the `gogle.com signs in with idp.com` with `kitten.com signs in with idp.com` will make a potential URL scam possible (of course if the top frame is a matched client to the RP iframe). If all three are shown at all times, at least the user can have a chance to recognise any potential attack. 

So now, I ask my question again (regardless of being serious or not): is the above scenario possible? If yes, then replacing the `gogle.com` with `kitten.com` does not really help the user make an informed decision (despite making the user less confused).

I hope I am clear enough now.

3) Thanks for the clarification on the incognito mode ceremony.

Regards,
Ehsan

-- 
Reply to this email directly or view it on GitHub:
https://github.com/w3ctag/design-reviews/issues/1136#issuecomment-3439727103
You are receiving this because you are subscribed to this thread.

Message ID: <w3ctag/design-reviews/issues/1136/3439727103@github.com>