- From: Christian Biesinger <notifications@github.com>
- Date: Fri, 24 Oct 2025 12:51:55 -0700
- To: w3ctag/design-reviews <design-reviews@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <w3ctag/design-reviews/issues/1136/3444693814@github.com>
cbiesinger left a comment (w3ctag/design-reviews#1136)
> Dear [@cbiesinger](https://github.com/cbiesinger) ,
>
> Thanks for the response. Let me clarify my comments better:
>
> 1. The spec you submitted as explainer (which is in fact a comment in an issue) was written almost 3 years ago. Can you please point me to any meeting note/discussion that triggered this reconsideration so I can have better insight?
Apologies for the old explainer. I am also realizing I neglected to link to https://github.com/w3c-fedid/FedCM/issues/725 which is a more up-to-date summary.
I don't have anything public to point to, but we have heard from partners that they wanted their iframe domain to be visible in the dialog. For example, imagine a photo editor embedded inside a website, perhaps a book editor.
The photo editor may want to allow the user to sign in to their photo editor account so that they can access previously stored files. Showing only the toplevel domain would be misleading.
On the other hand, some websites (real example) trigger the fedcm dialog from a `foostatic.com` iframe. The dialog would show `Sign in to foostatic.com with google.com` and the subtitle would say `foo.com embeds content from foostatic.com`, which is not very meaningful to the user.
> 3. As this is UI spec, I am not concerned about other potential attack scenarios at this stage of review, but I think all three URLs should be shown in the fedcm dialogue and replacing/removing any can be exploited if the RP is malicious. I am not trying to prove my proposed attack scenario is serious or not. I am asking if it is possible.>
> > If `kittens.com` (top origin) conspires with `gogle.com`(as an iframe origin), then replacing the `gogle.com signs in with idp.com` with `kitten.com signs in with idp.com` will make a potential URL scam possible (of course if the top frame is a matched client to the RP iframe). If all three are shown at all times, at least the user can have a chance to recognise any potential attack.
>
> So now, I ask my question again (regardless of being serious or not): Is the above scenario possible? If yes, then replacing the `gogle.com` with `kitten.com` does not really help the user make an informed decision (despite making the user less confused).
Right now we show kitten.com (and the IDP, google.com). *With* the proposal we may show all three domains ("Sign in to gogle.com with google.com" with a subtitle "kitten.com embeds content from gogle.com"), depending on what the IDP tells us.
Your attack relies on having a harmless-looking toplevel origin that is actually malicious. But in this situation the toplevel frame can just trigger FedCM directly.
If you are imagining a benign toplevel and an evil iframe, this relies on the toplevel allowing the iframe to use FedCM with permissions policy (and CSP). And in this case, the IDP would tell the brower to show all three origins.
--
Reply to this email directly or view it on GitHub:
https://github.com/w3ctag/design-reviews/issues/1136#issuecomment-3444693814
You are receiving this because you are subscribed to this thread.
Message ID: <w3ctag/design-reviews/issues/1136/3444693814@github.com>
Received on Friday, 24 October 2025 19:51:59 UTC