Use Permissions Policy instead of sameOriginWithAncestors #236
Conversation
|
(I'm going to join fedidcg to make the IPR pass) |
|
We inherit the |
|
Ah, right, I missed that this parameter came from the original function. I'll file an issue with credential management about PP vs. sameOriginWithAncestors, but I think for now it's probably acceptable to mention the parameter but ignore it in the algorithm. Thanks! |
|
@dj2 updated, PTAL :) |
|
Note that permission policy check itself should be added to the relevant algorithm in the credential management side since [[Discover From External Source]] is called from "in parallel" steps and cannot access the environment settings object. |
|
Thanks @nsatragno, I think that makes sense. I'll update the PR. |
|
I noticed another potential issue that I wanted to get your thoughts on: Besides I'm not yet super familiar with Credentials so maybe I'm wrong here, but it looks to me like this algorithm would also be called for FedCM FederatedCredentials and effectively prevent the Permissions Policy check in Potential solutions:
Any thoughts/preferences? |
|
There is also #237 which could move us away from monkey patching FederatedCredential if people agree with that direction. This would mean we'd have to put the definition for the |
|
Right, that might be good. Either way, it does feel like we could move |
|
(Sorry I somehow missed this) My recommendation is to move away from monkey patching and instead create a brand-new credential type to avoid this class of issues now and in the future, e.g. if we fix a bug on credman's If it's at all helpful to have the current implementation that overrides |
|
@dj2 @nsatragno I made some updates to reflect our discussion, PTAL. I wanted to avoid overriding If you're okay with this new version I'll also submit a PR to credman adding the allowed to use check. |
spec/index.bs
Outdated
| @@ -1026,6 +1026,19 @@ requests. | |||
| :: Optional |accountId| hint. Maybe used by the UA when displaying the | |||
| </dl> | |||
|
|
|||
| This specification modifies the {{FederatedCredential}}'s {{FederatedCredential/[[CollectFromCredentialStore]](origin, options, sameOriginWithAncestors)}} method by prepending the following step: | |||
There was a problem hiding this comment.
Technically this would be the second step, i.e. after the assert, right?
There was a problem hiding this comment.
Yeah, I guess technically you're right, I figured we can skip the assert for simplicity as existence of the map is somewhat implied by exists, but I can try to reword.
spec/index.bs
Outdated
|
|
||
| 1. If |options|["{{CredentialRequestOptions/federated}}"]["{{FederatedCredentialRequestOptions/providers}}"] [=map/exists=], return the result of <a abstract-op lt="Retrieve a list of credentials">retrieving</a> | ||
| credentials from the [=credential store=] that match the following filter: | ||
| 1. The credential is a {{FederatedCredential}} |
There was a problem hiding this comment.
nit: add period for consistency with other bullet points.
spec/index.bs
Outdated
| Note: This step skips any checks for |sameOriginWithAncestors|, which is instead done by | ||
| evaluating whether the document is [=allowed to use=] the `"fedcm"` feature at at the | ||
| [[!CREDENTIAL-MANAGEMENT-1]] level. See [[#permissions-policy-integration]]. | ||
|
|
||
| This specification overrides the {{FederatedCredential}}'s |
There was a problem hiding this comment.
Should we later not override this method? Maybe add an Issue
There was a problem hiding this comment.
I wouldn't require us to change this as long as CredMan has a no-op in place of the overriden function, this draft is for incubation anyway and a final decision could be made in #237 as a result of which this will likely change anyway.
spec/index.bs
Outdated
|
|
||
| This restriction can be controlled using the mechanisms described in [[PERMISSIONS-POLICY]]. | ||
|
|
||
| Note: Algorithms specified in [[!CREDENTIAL-MANAGEMENT-1]] perform the actual permissions policy evaluation. This is because such policy evaluation needs to occur when there is access to the [=current settings object=]. The [=internal method=]s modified by this specification do not have such access since they are invoked [=in parallel=] by {{CredentialsContainer}}'s <a abstract-op>Request a `Credential`</a> abstract operation [[!CREDENTIAL-MANAGEMENT-1]]. |
There was a problem hiding this comment.
The last mention to [[!CREDENTIAL-MANAGEMENT-1]] here seems off, should we remove it?
There was a problem hiding this comment.
Yeah, that seems removable.
|
I think I can take another stab at this now that we have IdentityCredential in place. |
johannhof
force-pushed
the
permissions-policy
branch
2 times, most recently
from
7094b1a to
516b53e
Compare
See rationale here: w3c-fedid#233 (comment)
johannhof
force-pushed
the
permissions-policy
branch
from
516b53e to
b4cfabf
Compare
Companion change to w3c-fedid/FedCM#236
spec/index.bs
Outdated
| # Permissions Policy Integration # {#permissions-policy-integration} | ||
| <!-- ============================================================ --> | ||
|
|
||
| FedCM defines a [=policy-controlled feature=] identified by the string `"fedcm"`. |
There was a problem hiding this comment.
Let's use a different name, not fedcm. How about identity-credential (or the plural, not sure what is better in this case)?
There was a problem hiding this comment.
Hmm so for publickey (which is the closest to this, I guess) we have publickey-credentials-get, which might make sense as it describes the capability that we're exposing, so identity-credential-get? It sounds a bit funky though.
@clelland do you have any thoughts/advice on naming for PP?
There was a problem hiding this comment.
identity-credential-get for consistency with the publickey SGTM
There was a problem hiding this comment.
Thanks, let's agree on that, then!
There was a problem hiding this comment.
Should we do the plural identity-credentials-get to be consistent?
There was a problem hiding this comment.
Yeah, I agree, it's also more consistent with the API call (credentials.get) thanks for catching that! I can update this later, as I was going to make it linkable as well.
There was a problem hiding this comment.
@samuelgoto @npm1 assuming no concerns with this but lmk otherwise
|
LGTM with the small naming changes to keep it consistent. Once you resolve them, I'll merge. |
|
Done! :) |
|
Merged! |
SHA: 9c05a08 Reason: push, by @samuelgoto Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
* Add permissions policy check for FedCM Companion change to w3c-fedid/FedCM#236
) * Use Permissions Policy instead of sameOriginWithAncestors See rationale here: w3c-fedid#233 (comment) * Update feature name based on feedback
See rationale here:
#233 (comment)
Preview | Diff