BEGIN:VCALENDAR
VERSION:2.0
PRODID:-//Sabre//Sabre VObject 4.5.8//EN
CALSCALE:GREGORIAN
LAST-MODIFIED:20260316T155826Z
BEGIN:VTIMEZONE
TZID:Etc/UTC
BEGIN:STANDARD
DTSTART:20230318T140000
TZOFFSETFROM:+0000
TZOFFSETTO:+0000
TZNAME:UTC
END:STANDARD
END:VTIMEZONE
BEGIN:VEVENT
UID:15220813-651d-4795-98ae-a17434c1e50f
DTSTAMP:20260316T155826Z
SUMMARY:FedCM request settings & CORS
DTSTART;TZID=Etc/UTC:20240312T140000
DTEND;TZID=Etc/UTC:20240312T150000
DESCRIPTION:https://www.w3.org/events/meetings/15220813-651d-4795-98ae-a174
 34c1e50f/\n\nRecently\, we have come to the [conclusion that FedCM should 
 use CORS for the identity assertion endpoint](https://github.com/fedidcg/F
 edCM/issues/428#issuecomment-1729629625). Other requests remain in questio
 n\, like for example\, the [accounts endpoint](https://fedidcg.github.io/F
 edCM/#fetch-accounts-list) have unique:\n\n- Security constraints: like th
 e response not being consumable by any script unless the user selects some
  browser UI\n- Privacy requirements: like not being able to expose the RP 
 to the IDP under any circumstance\, which makes CORS an unsuitable primiti
 ve for this kind of request\n\nRecently\, Google has put together [**a pro
 posal**](https://docs.google.com/document/d/1CpP9JAuqWi4yivOWQcarIqEyQzVcI
 xDdc8NA3HMw56I/edit) for finalizing the (security) properties of the accou
 nt endpoints request\, which involves interpreting the request as being "i
 nitiated" from the `/.well-known` file that directs the browser to fetch i
 t (the accounts endpoint). Today\, in practice that would make the account
 s endpoint request "same-origin" with the `/.well-known` that initiated it
 \, because FedCM requires that these requests be mutually same-origin.\n\n
 We've reached _some_ general agreement on this approach\, but would like t
 o discuss i with stakeholders including Fetch editors (@annevk)\, and also
  resolve outstanding discussion about how exactly cookies/credentials shou
 ld be treated with this request.\n\n**Goal(s):**\nResolve the topic of COR
 S & accounts endpoint requests\n\n**Track(s):**\n- identity\n\nAgenda\n\nD
 iscuss https://docs.google.com/document/d/1CpP9JAuqWi4yivOWQcarIqEyQzVcIxD
 dc8NA3HMw56I/edit\, and the associated email threads that preceded it.\n\n
 **Materials:**\n- [Session proposal on GitHub](https://github.com/w3c/brea
 kouts-day-2024/issues/7)
STATUS:CONFIRMED
CREATED:20240302T122808Z
LAST-MODIFIED:20260316T155826Z
SEQUENCE:5
ORGANIZER;CN=W3C Calendar;PARTSTAT=ACCEPTED;ROLE=NON-PARTICIPANT:mailto:nor
 eply@w3.org
LOCATION:Ukulele
CATEGORIES:W3C Breakouts Day 2024,Breakout Sessions
END:VEVENT
END:VCALENDAR