commit b1eacf12d9e205919a9363a179f14d6e8bc3bd71
author Nicolás Peña <npm@chromium.org> Tue Apr 09 22:01:18 2024
committer Blink WPT Bot <blink-w3c-test-autoroller@chromium.org> Tue Apr 09 23:43:28 2024
tree a3a498e2a2effb6c56d4c4d03946bb3bba22af2c
parent 1267c0a912d444e0e76f07d23477cb2cd26ee05e

Reland "[FedCM] Enable CORS in ID assertion endpoint"

This reverts commit 4b1c288aef71451a32e057cac8413c26a665ee32.

Reason for revert: IDPs are now ready for this change

Original change's description:
> Revert "[FedCM] Enable CORS in ID assertion endpoint"
>
> This reverts commit b2cb1b55ae3c4f7b88a74a0ceb697646fde03a5b.
>
> Reason for revert: Causing issues to a real IDP
>
> Original change's description:
> > [FedCM] Enable CORS in ID assertion endpoint
> >
> > I2S: https://groups.google.com/a/chromium.org/g/blink-dev/c/gYoQJsaiD9E
> >
> > Bug: 40284123
> > Change-Id: I61989f1e7a7578c2f59d87815e3ec2b51b7fc5be
> > Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5370086
> > Reviewed-by: Nasko Oskov <nasko@chromium.org>
> > Reviewed-by: Christian Dullweber <dullweber@chromium.org>
> > Reviewed-by: Mathias Bynens <mathias@chromium.org>
> > Commit-Queue: Nicolás Peña <npm@chromium.org>
> > Cr-Commit-Position: refs/heads/main@{#1274203}
>
> Bug: 40284123
> Change-Id: I4a518b55396d5aba676f0a15c9a515451dc11e86
> Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5381316
> Reviewed-by: Christian Biesinger <cbiesinger@chromium.org>
> Reviewed-by: Mathias Bynens <mathias@chromium.org>
> Commit-Queue: Nicolás Peña <npm@chromium.org>
> Reviewed-by: Nasko Oskov <nasko@chromium.org>
> Reviewed-by: Christian Dullweber <dullweber@chromium.org>
> Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
> Cr-Commit-Position: refs/heads/main@{#1276213}

Bug: 40284123
Change-Id: I64c8ceb82b3f49bc41e7b592d890699db67a2c6c
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5440132
Reviewed-by: Mathias Bynens <mathias@chromium.org>
Reviewed-by: Christian Dullweber <dullweber@chromium.org>
Reviewed-by: Christian Biesinger <cbiesinger@chromium.org>
Commit-Queue: Nicolás Peña <npm@chromium.org>
Reviewed-by: Nasko Oskov <nasko@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1284723}

credential-management/support/fedcm/continue_on.py

diff --git a/credential-management/support/fedcm/continue_on.py b/credential-management/support/fedcm/continue_on.py
index 1b4831b..2a580e0 100644
--- a/credential-management/support/fedcm/continue_on.py
+++ b/credential-management/support/fedcm/continue_on.py
@@ -7,6 +7,8 @@
     return request_error
 
   response.headers.set(b"Content-Type", b"application/json")
+  response.headers.set(b"Access-Control-Allow-Origin", request.headers.get(b"Origin"))
+  response.headers.set(b"Access-Control-Allow-Credentials", "true")
 
   account = request.POST.get(b"account_id").decode("utf-8")
   nonce = request.POST.get(b"nonce").decode("utf-8")

credential-management/support/fedcm/request-params-check.py

diff --git a/credential-management/support/fedcm/request-params-check.py b/credential-management/support/fedcm/request-params-check.py
index 6c610e6..08c28e3 100644
--- a/credential-management/support/fedcm/request-params-check.py
+++ b/credential-management/support/fedcm/request-params-check.py
@@ -63,12 +63,16 @@
     return (539, [], "Should not have Origin")
 
 def tokenCheck(request):
-  common_error = commonCheck(request)
+  common_error = commonCheck(request, b"cors")
   if (common_error):
     return common_error
   common_credentialed_error = commonCredentialedRequestCheck(request)
   if (common_credentialed_error):
     return common_credentialed_error
+  # The value of the Sec-Fetch-Site header can vary depending on the IdP origin
+  # but it should not be 'none'.
+  if request.headers.get(b"Sec-Fetch-Site") == b"none":
+    return (538, [], "Wrong Sec-Fetch-Site header")
 
   post_error = commonPostCheck(request)
   if (post_error):
@@ -86,8 +90,9 @@
   if (common_error):
     return common_error
 
-  if request.cookies.get(b"cookie") != b"1":
-    return (537, [], "Missing cookie")
+  common_credentialed_error = commonCredentialedRequestCheck(request)
+  if (common_credentialed_error):
+    return common_credentialed_error
   # The value of the Sec-Fetch-Site header can vary depending on the IdP origin
   # but it should not be 'none'.
   if request.headers.get(b"Sec-Fetch-Site") == b"none":

credential-management/support/fedcm/token_with_account_id.py

diff --git a/credential-management/support/fedcm/token_with_account_id.py b/credential-management/support/fedcm/token_with_account_id.py
index 52fb201..04e7b5b 100644
--- a/credential-management/support/fedcm/token_with_account_id.py
+++ b/credential-management/support/fedcm/token_with_account_id.py
@@ -7,6 +7,8 @@
     return request_error
 
   response.headers.set(b"Content-Type", b"application/json")
+  response.headers.set(b"Access-Control-Allow-Origin", request.headers.get(b"Origin"))
+  response.headers.set(b"Access-Control-Allow-Credentials", "true")
 
   account_id = request.POST.get(b"account_id")
   return "{\"token\": \"account_id=" + account_id.decode("utf-8") + "\"}"

credential-management/support/fedcm/token_with_auto_selected_flag.py

diff --git a/credential-management/support/fedcm/token_with_auto_selected_flag.py b/credential-management/support/fedcm/token_with_auto_selected_flag.py
index 93ccf3e..3e011ce 100644
--- a/credential-management/support/fedcm/token_with_auto_selected_flag.py
+++ b/credential-management/support/fedcm/token_with_auto_selected_flag.py
@@ -7,6 +7,8 @@
     return request_error
 
   response.headers.set(b"Content-Type", b"application/json")
+  response.headers.set(b"Access-Control-Allow-Origin", request.headers.get(b"Origin"))
+  response.headers.set(b"Access-Control-Allow-Credentials", "true")
 
   is_auto_selected = request.POST.get(b"is_auto_selected")
   return "{\"token\": \"is_auto_selected=" + is_auto_selected.decode("utf-8") + "\"}"

credential-management/support/fedcm/token_with_http_error.py

diff --git a/credential-management/support/fedcm/token_with_http_error.py b/credential-management/support/fedcm/token_with_http_error.py
index c8d95ab..05b9945 100644
--- a/credential-management/support/fedcm/token_with_http_error.py
+++ b/credential-management/support/fedcm/token_with_http_error.py
@@ -7,6 +7,8 @@
     return request_error
 
   response.headers.set(b"Content-Type", b"application/json")
+  response.headers.set(b"Access-Control-Allow-Origin", request.headers.get(b"Origin"))
+  response.headers.set(b"Access-Control-Allow-Credentials", "true")
   response.status = (403, b"Forbidden")
 
   return "{\"token\": \"token\"}"

credential-management/support/fedcm/token_with_rp_mode.py

diff --git a/credential-management/support/fedcm/token_with_rp_mode.py b/credential-management/support/fedcm/token_with_rp_mode.py
index 5157364..add634c 100644
--- a/credential-management/support/fedcm/token_with_rp_mode.py
+++ b/credential-management/support/fedcm/token_with_rp_mode.py
@@ -7,6 +7,8 @@
     return request_error
 
   response.headers.set(b"Content-Type", b"application/json")
+  response.headers.set(b"Access-Control-Allow-Origin", request.headers.get(b"Origin"))
+  response.headers.set(b"Access-Control-Allow-Credentials", "true")
 
   rp_mode = request.POST.get(b"mode")
   return "{\"token\": \"mode=" + rp_mode.decode("utf-8") + "\"}"