-
Notifications
You must be signed in to change notification settings - Fork 77
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Send Accept-Language
in the HTTP requests
#592
Comments
hmm, since we don't (shouldn't) validate the URLs such that they are from the RP site, the URL could be decorated to be something like https://idp.example/rp/tos.html. When a user clicks on the browser UI to open this link, idp.example is able to connect the RP+User without explicit user permission since they have 1P cookie access from the decorated link. Does it make sense? |
Isn't that true with the current method the IdP provides the two URLs? That doesn't seem like it changes with the |
I think we'd make sure that the url is passed within the same constraints that |
Right. This doesn't seem to introduced by this proposal (it does get me started to think about this issue). Will track separately after we understand the situation better. |
Yeah, a lot of big service providers have their different language terms at completely different URLs, not content negotiated based on |
ConNeg can be put to good use where a user does a I cannot think of a way that having a client-side tool be language aware solves the problem of a |
@TallTed my suggestion here is that when making the FedCM client metadata request, we ConNeg it, allowing the server to return potentially localised URLs for The FedCM client metadata request is a well known URL, due to specification requiring its implementation. But it's not specified whether it is requested with headers that would enable ConNeg on Language |
Much clearer; thank you. Yes, FedCM requests should include |
i.e., we do:
(Assuming my device's languages would normally return And idp.example may respond with: {
"terms_of_service_uri": "https://rp.example/fr/terms",
"privacy_policy_uri": "https://rp.example/fr/privacy"
} Instead of: {
"terms_of_service_uri": "https://rp.example/terms",
"privacy_policy_uri": "https://rp.example/privacy"
} (note: there's a typo in the original example 10 from https://fedidcg.github.io/FedCM/#idp-api-client-id-metadata-endpoint as |
From @ThisIsMissEm in #234 :
I think this is a great idea: it doesn't seem immediately attackable to me and would certainly help the user.
The text was updated successfully, but these errors were encountered: