← Back to release summary

FedCM—Support showing third-party iframe origins in the UI

Category

Miscellaneous

Type

New or changed feature

Status

Proposed (Chrome Proposed)

Intent stage

None

Summary

Currently, FedCM always shows the toplevel site in its UI. This works well when the iframe is conceptually first-party (e.g. foo.com may have an iframe foostatic.com, which is not meaningful to the user). But if the iframe is actually third-party, it would be better to make it possible to show the iframe origin in the UI so that the user better understands who they are sharing their credentials with. For example, a photo editor may be embedded in a book publishing web app and may want to let users access files they have previously stored with the photo editor. This proposal allows doing so.

Motivation

See https://github.com/w3c-fedid/FedCM/issues/725 for more discussion on the motivation

Standards & signals

• Specification: https://github.com/w3c-fedid/FedCM/pull/774
• Firefox: No signal — For incremental improvements to FedCM, Firefox has asked us not to file standards position, and they will instead provide feedback in the GitHub PR.. Firefox engineer "not willing to block this", https://github.com/w3c-fedid/FedCM/issues/725#issuecomment-3189376203
• Safari: No signal — Safari is not implementing FedCM in general. They have closed other position requests for specific FedCM additions as duplicates of the general FedCM position request, e.g. https://github.com/WebKit/standards-positions/issues/120#issuecomment-1914040695
• Web developers: Positive — This was requested by web developer partners. Our partners have tried out the Chrome implementation behind a flag and found it to match their expectations.
• Tracking bug: https://crbug.com/390581529

Explainers: https://github.com/w3c-fedid/FedCM/issues/449#issuecomment-1515631336

View on chromestatus.com