FedCM Permissions Policy

[npm1]

Request for Mozilla Position on an Emerging Web Specification

• Specification Title: Federated Credential Management API
• Specification or proposal URL: Permissions policy integration here
• Mozillians who can provide input (optional): @martinthomson @bvandersloot-mozilla

Other information

The FedCM API position was marked positive here. This request is specifically about the addition of a permissions policy so that a main frame grants permission to an iframe to invoke the FedCM API.

[bvandersloot-mozilla]

This seems like a good idea. My initial reaction is that no iframe should have this permission, but then I remembered that some of the NASCAR buttons are in iframes. I assume that is the motivating use case @npm1 ? Any I miss?

If we accept that a iframe should have the power to call the API, then we should allow sites to protect themselves and an opt-in mechanism makes sense, especially per-iframe.

[npm1]

Yea, there are RPs which choose to embed the IDP script on a cross-origin iframe. It is also feasible for there to be use-cases where it is the iframe itself the one that needs authentication, but we don't yet have a concrete partner for that scenario.

[bvandersloot-mozilla]

This doesn't quite merit an entry in the standards-position dashboard, but we do agree that it is a positive change. To reflect that, we will label the issue as positive and close it without a PR. Thanks!