Status of FPWD‐identified Issues

This is a tracking list of issues the WG labeled as critical open issues during the FPWD process that must be formally addressed before publication of a Candidate Recommendation.

| Issue | Stage | Proposal | Core FedCM? | |------------------------------------------------------------------------------------------|:-----:|-------------------------| | Issue 428: Enforce CORS on the Identity Assertions endpoint | 2 (merged) | See PR 547 | Yes | | Issue 537: Allow setting IDP login status from same-site subresources | 2 (merged) | See PR 538 | Yes | | Issue 442: A not-yet logged in IDP has no route to success with this flow – Active Mode | 2 (merged) | Active Mode API | Yes | | Issue 555: Allow IdPs to continue and finish the request in a popup window – Continuation API | 2 (merged) | Continuation API | Yes | | Issue 556: Passing arbitrary parameters to the ID assertion endpoint | 2 (merged) | Params API | Yes | | Issue 559: Allow RPs to selectively request attributes of the user’s profile | 2 | Fields API | No | | Issue 511: Allow signing in to additional account(s) | 2 | Add Account API | Yes | | Issue 553: Allowing IDPs to expose different account lists in different contexts | 2 | Account Labels API | Yes | | Issue 552: Allow IDPs to use multiple config files within an eTLD+1 | 2 (merged) | Multiple configURLs API | Yes | | Issue 488: Users may be confused after showing intent to sign in but the sign-in is failed | 2? | Error API | TBD | | Issue 319: Allow multiple IDPs to be used | 2 | Multi-IdP API | Yes | | Issue 467: Use cases for Cross-Site Cookie Access through Storage Access API after FedCM grant? – SAA Auto-grant | 2 (merged into the SAA spec) | Storage Access API Auto-grant | Yes | | Issue 517: Allow user agents to use "Connected Accounts Set" with flexibility | 2? | 3PC Relaxation | No | | Issue 352: Share performance measurement with IDP | 2? | Metrics API | No | | Issue 407: [Context API] - Authz / relation to ability to specify scope | 2? | duplicate of this? | Yes | | Issue 240: Users can’t use IdPs outside of the ones enumerated by RPs | 1 | IdP Registration API| No | | Issue 441: The IDP has to support additional infrastructure to support FedCM | 1 | Lightweight API | No :-( | | Issue 317: concerns about email in Accounts List | 1? | Proposal to move to Stage 1 | Yes | | Issue 677 | 1 | Delegation-oriented FedCM | No | | Issue 320: Why Sec-FedCM-CSRF and not Sec-Fetch-Mode | 0 | | | | Issue 578: Allow IdPs to return JSON objects rather than Strings back to RPs | 0 | | | | Issue 585: Allow IdP registration and RPs to match on a "type" – IdP Registration | 0 | | | | Issue 587: Why must SameSite=none? | 0 | | | | Issue 599: OAuth profile for FedCM | 0 | | | | Issue 609: Spec says we send SameSite=Strict cookies | 0 | | | | Issue 616: Once params are merged into the spec, deprecate the nonce parameter | 0 | | | | Issue 618: Support chained authentication flows before reducing heuristics and classifications/lists in navigational tracking mitigations | 0 | | | | Issue 620: Make it easier to deploy this at the eTLD+1 for registered IdPs | 0 | | | | Issue 625: Returning accounts go first in getUserInfo | 0 | | | | Issue 626: PP/TOS requirements are different from auto reauthentication | 0 | | | | Issue 627: Add webdriver command to open PP/TOS | 0 | | |