We now also allow same-site (same eTLD+1) subresources to set a login status (for the origin of the subresource). This is useful for IdPs where the IdP login happens on one subdomain, but the FedCM endpoint is on a different subdomain. To make sure that FedCM works correctly, the login status needs to be set on the FedCM subdomain.
The login status API currently only allow setting the login status on toplevel loads or for subresources who are same-origin with all their ancestors, both when using the JavaScript API and when using the HTTP header. However, some IDPs want to use one origin for their FedCM endpoints but log in users on a different origin. With the same-origin restriction, this would require a toplevel redirect or opening a popup, which leads to disruptive user experiences especially if the current login flow does not depend on a top-level navigation.