From 11439a066d132405153795ea93bad0166bdf985f Mon Sep 17 00:00:00 2001
From: npm1 <npm@chromium.org>
Date: Thu, 9 Feb 2023 10:53:20 -0500
Subject: [PATCH 1/2] Use Origin instead of Referer (#423)

* b

* b
---
 spec/index.bs | 46 +++++++++++++++++++++-------------------------
 1 file changed, 21 insertions(+), 25 deletions(-)

diff --git a/spec/index.bs b/spec/index.bs
index d4fe9d5b..7fa089b8 100644
--- a/spec/index.bs
+++ b/spec/index.bs
@@ -319,7 +319,8 @@ The well-known file is fetched:
 
 (a) **without** cookies,
 (b) **with** the <a http-header>Sec-Fetch-Dest</a> header set to `webidentity`, and
-(c) **without** a [[RFC9110#field.referer|Referer]] header
+(c) **without** revealing the [=RP=] in the <a http-header>Origin</a> or
+    [[RFC9110#field.referer|Referer]] headers.
 
 For example:
 
@@ -353,7 +354,8 @@ The config endpoint is fetched:
 
 (a) **without** cookies,
 (b) **with** the <a http-header>Sec-Fetch-Dest</a> header set to `webidentity`,
-(c) **without** a [[RFC9110#field.referer|Referer]] header, and
+(c) **without** revealing the [=RP=] in the <a http-header>Origin</a> or
+    [[RFC9110#field.referer|Referer]] headers, and
 (c) **without** following [[RFC9110#field.location|HTTP redirects]].
 
 For example:
@@ -474,7 +476,8 @@ The accounts list endpoint provides the list of accounts the user has at the [=I
 The accounts list endpoint is fetched
 (a) **with** [=IDP=] cookies,
 (b) **with** the <a http-header>Sec-Fetch-Dest</a> header set to `webidentity`,
-(c) **without** a [[RFC9110#field.referer|Referer]] header, and
+(c) **without** revealing the [=RP=] in the <a http-header>Origin</a> or
+    [[RFC9110#field.referer|Referer]] headers, and
 (d) **without** following [[RFC9110#field.location|HTTP redirects]].
 
 For example:
@@ -520,7 +523,7 @@ Every {{IdentityProviderAccount}} is expected to have members with the following
     :   <dfn>picture</dfn>
     ::  URL for the account's picture.
     :   <dfn>approved_clients</dfn>
-    ::  A list of [=RP=]s (that gets matched against the requesting {{IdentityProviderConfig/client_id}}) this account is already registered with.
+    ::  A list of [=RP=]s (that gets matched against the requesting {{IdentityProviderConfig/clientId}}) this account is already registered with.
         Used in the [=request permission to sign-up=] to allow the [=IDP=] to control whether to show
         the Privacy Policy and the Terms of Service.
 </dl>
@@ -560,9 +563,7 @@ The client metadata endpoint provides metadata about [=RP=]s.
 The client medata endpoint is fetched
 (a) **without** cookies,
 (b) **with** the <a http-header>Sec-Fetch-Dest</a> header set to `webidentity`,
-(c) **with** a [[RFC9110#field.referer|Referer]] header indicating the [=RP=]'s origin
-    (as if [[referrer-policy#referrer-policy-strict-origin|Referer-Policy: strict-origin]]
-    was in use), and
+(c) **with** the [=RP=]'s origin in the <a http-header>Origin</a> header, and
 (d) **without** following [[RFC9110#field.location|HTTP redirects]].
 
 The user agent also passes the **client_id**.
@@ -573,7 +574,7 @@ For example:
 ```http
 GET /client_medata?client_id=1234 HTTP/1.1
 Host: idp.example
-Referer: https://rp.example/
+Origin: https://rp.example/
 Accept: application/json
 Sec-Fetch-Dest: webidentity
 ```
@@ -618,9 +619,7 @@ The identity assertion endpoint is fetched
 
 (a) as a **POST** request,
 (b) **with** [=IDP=] cookies,
-(c) **with** a [[RFC9110#field.referer|Referer]] header indicating the [=RP=]'s origin
-    (as if [[referrer-policy#referrer-policy-strict-origin|Referer-Policy: strict-origin]]
-    was in use),
+(c) **with** the [=RP=]'s origin in the <a http-header>Origin</a> header, and
 (d) **with** the <a http-header>Sec-Fetch-Dest</a> header set to `webidentity`,
 (e) **without** following [[RFC9110#field.location|HTTP redirects]].
 
@@ -646,7 +645,7 @@ For example:
 ```http
 POST /fedcm_assertion_endpoint HTTP/1.1
 Host: idp.example
-Referer: https://rp.example/
+Origin: https://rp.example/
 Content-Type: application/x-www-form-urlencoded
 Cookie: 0x23223
 Sec-Fetch-Dest: webidentity
@@ -655,10 +654,11 @@ account_id=123&client_id=client1234&nonce=Ct60bD&disclosure_text_shown=true
 </div>
 
 <div class=idp-normative-text>
-An [=IDP=] MUST check the referrer to ensure that a malicious [=RP=] does not receive an ID token
-corresponding to another [=RP=]. In other words, the [=IDP=] MUST check that the referrer is
-represented by the {{IdentityProviderConfig/client_id}}. As the {{IdentityProviderConfig/client_id}} are [=IDP=]-specific, the [=user agent=]
-cannot perform this check.
+An [=IDP=] MUST check the <a http-header>Origin</a> header to ensure that a malicious [=RP=] does
+not receive an ID token corresponding to another [=RP=]. In other words, the [=IDP=] MUST check that
+the <a http-header>Origin</a> header value is represented by the
+{{IdentityProviderConfig/clientId}}. As the {{IdentityProviderConfig/clientId}} are
+[=IDP=]-specific, the [=user agent=] cannot perform this check.
 </div>
 
 The response body must be a JSON object that can be [=converted to an IDL value|converted=] to an {{IdentityProviderToken}} without an exception.
@@ -714,8 +714,8 @@ provisioning of a token.
 NOTE: The [=RP=] makes no delineation between Sign-up and Sign-in, but
 rather calls the same API indistinguishably.
 
-If all goes well, the [=Relying Party=] receives back an {{IdentityCredential}}
-which contains a [=token=] it can use to authenticate the user.
+If all goes well, the Relying Party receives back an {{IdentityCredential}}
+which contains a token it can use to authenticate the user.
 
 <div class=example>
 ```js
@@ -1018,7 +1018,7 @@ To <dfn>fetch the config file</dfn> given an {{IdentityProviderConfig}} |provide
         :: "omit"
 
         <p class=issue>The spec is yet to be updated so that all <a spec=fetch for=/>requests</a> are created
-        with [=request/mode=] set to "unsafe-no-cors". See the relevant
+        with [=request/mode=] set to "user-agent-no-cors". See the relevant
         [pull request](https://github.com/whatwg/fetch/pull/1533) for details.</p>
 
     1. Let |config| be null.
@@ -1191,12 +1191,10 @@ To <dfn>fetch an identity assertion</dfn> given an [=AccountState=] |accountStat
         :  [=request/destination=]
         :: "webidentity"
         :  [=request/origin=]
-        :: a unique [=opaque origin=]
+        :: [=RP=]'s [=/origin=] (TODO)
         :  [=request/header list=]
         :: a [=list=] containing a single [=header=] with [=header/name=] set to `Accept` and
             [=header/value=] set to `application/x-www-form-urlencoded`
-        :  [=request/referrer=]
-        :: [=RP=]'s URL (TODO).
         :  [=request/credentials mode=]
         :: "include"
 
@@ -1312,12 +1310,10 @@ an {{IdentityProviderConfig}} |provider|, run the following steps. This returns
         :  [=request/destination=]
         :: "webidentity"
         :  [=request/origin=]
-        :: a unique [=opaque origin=]
+        :: [=RP=]'s [=/origin=] (TODO)
         :  [=request/header list=]
         :: a [=list=] containing a single [=header=] with [=header/name=] set to `Accept` and
             [=header/value=] set to `application/json`
-        :  [=request/referrer=]
-        :: [=RP=]'s URL (TODO).
         :  [=request/credentials mode=]
         :: "omit"
 

From 8a33eb440c12c2bbd53dc19452e2c899ed1b1e2c Mon Sep 17 00:00:00 2001
From: Christian Biesinger <cbiesinger@chromium.org>
Date: Thu, 9 Feb 2023 16:55:33 +0100
Subject: [PATCH 2/2] Clarify how IdentityProvider is exposed (#425)

This also does not need to be a partial interface.
---
 proposals/idp-sign-in-status-api.md | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/proposals/idp-sign-in-status-api.md b/proposals/idp-sign-in-status-api.md
index 8b969219..257201c2 100644
--- a/proposals/idp-sign-in-status-api.md
+++ b/proposals/idp-sign-in-status-api.md
@@ -56,7 +56,8 @@ was the last/only account getting signed out.
 Tentatively:
 
 ```
-partial interface IdentityProvider {
+[Exposed=Window]
+interface IdentityProvider {
   static void login();
   static void logout();
 }