Re: [w3ctag/design-reviews] Incubation: FedCM: Support showing third-party iframe origins in the UI (Issue #1136) from Ehsan Toreini on 2026-01-05 (public-webapps-github@w3.org from January 2026)

From: Ehsan Toreini <notifications@github.com>
Date: Mon, 05 Jan 2026 08:00:11 -0800
To: w3ctag/design-reviews <design-reviews@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3ctag/design-reviews/issues/1136/3711034288@github.com>

toreini left a comment (w3ctag/design-reviews#1136)

Dear @cbiesinger ,

We should have asked for this earlier but can you please write Explainer for this proposed change? From the comments you posted, we don't see a clear statement that describes the current state.

Considering three entities: (a) top origin (kitten.com) (b) iframe (iframe.com) (c) idp (idp.com) and the top-origin and iframe are already in relation and idp is aware of it.

* If FedCM without this change currently shows the iframe that's trying to log in (i.e. the current output string in the authn prompt is iframe.com signs in with idp.com, based on the initial comment on the thread, which is followed by the original explainer comment. Especially, the image inside the original explainer comment and updated explainer comment), then:

    * without proposed change: `iframe.com signs in with idp.com`
    * with proposed change: `kitten.com signs in with idp.com` or `kitten.com uses iframe.com to sign in with idp.com`

   Going back to the purpose of this spec (informing the users), we're concerned that this reduces the amount of information the user gets about about who will learn their identity.

* If FedCM without this change currently shows the top-level origin (i.e. the output string in the authn prompt is kitten.com signs in with idp.com, which seems to be the current implementation), then:

    * without proposed change: `kitten.com signs in with idp.com`
    * with proposed change: `kitten.com signs in with idp.com` or `kitten.com uses iframe.com to sign in with idp.com`

    In this case, can you please describe in the explainer why you think it's user-beneficial to show just the top-level RP and the IDP (as opposed to always showing all three).

-- 
Reply to this email directly or view it on GitHub:
https://github.com/w3ctag/design-reviews/issues/1136#issuecomment-3711034288
You are receiving this because you are subscribed to this thread.

Message ID: <w3ctag/design-reviews/issues/1136/3711034288@github.com>

Received on Monday, 5 January 2026 16:00:15 UTC