Reland "[FedCM] Enable CORS in ID assertion endpoint"
This reverts commit 4b1c288aef71451a32e057cac8413c26a665ee32.
Reason for revert: IDPs are now ready for this change
Original change's description:
> Revert "[FedCM] Enable CORS in ID assertion endpoint"
>
> This reverts commit b2cb1b55ae3c4f7b88a74a0ceb697646fde03a5b.
>
> Reason for revert: Causing issues to a real IDP
>
> Original change's description:
> > [FedCM] Enable CORS in ID assertion endpoint
> >
> > I2S: https://groups.google.com/a/chromium.org/g/blink-dev/c/gYoQJsaiD9E
> >
> > Bug: 40284123
> > Change-Id: I61989f1e7a7578c2f59d87815e3ec2b51b7fc5be
> > Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5370086
> > Reviewed-by: Nasko Oskov <nasko@chromium.org>
> > Reviewed-by: Christian Dullweber <dullweber@chromium.org>
> > Reviewed-by: Mathias Bynens <mathias@chromium.org>
> > Commit-Queue: Nicolás Peña <npm@chromium.org>
> > Cr-Commit-Position: refs/heads/main@{#1274203}
>
> Bug: 40284123
> Change-Id: I4a518b55396d5aba676f0a15c9a515451dc11e86
> Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5381316
> Reviewed-by: Christian Biesinger <cbiesinger@chromium.org>
> Reviewed-by: Mathias Bynens <mathias@chromium.org>
> Commit-Queue: Nicolás Peña <npm@chromium.org>
> Reviewed-by: Nasko Oskov <nasko@chromium.org>
> Reviewed-by: Christian Dullweber <dullweber@chromium.org>
> Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
> Cr-Commit-Position: refs/heads/main@{#1276213}
Bug: 40284123
Change-Id: I64c8ceb82b3f49bc41e7b592d890699db67a2c6c
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5440132
Reviewed-by: Mathias Bynens <mathias@chromium.org>
Reviewed-by: Christian Dullweber <dullweber@chromium.org>
Reviewed-by: Christian Biesinger <cbiesinger@chromium.org>
Commit-Queue: Nicolás Peña <npm@chromium.org>
Reviewed-by: Nasko Oskov <nasko@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1284723}
diff --git a/credential-management/support/fedcm/continue_on.py b/credential-management/support/fedcm/continue_on.py
index 1b4831b..2a580e0 100644
--- a/credential-management/support/fedcm/continue_on.py
+++ b/credential-management/support/fedcm/continue_on.py
@@ -7,6 +7,8 @@
return request_error
response.headers.set(b"Content-Type", b"application/json")
+ response.headers.set(b"Access-Control-Allow-Origin", request.headers.get(b"Origin"))
+ response.headers.set(b"Access-Control-Allow-Credentials", "true")
account = request.POST.get(b"account_id").decode("utf-8")
nonce = request.POST.get(b"nonce").decode("utf-8")
diff --git a/credential-management/support/fedcm/request-params-check.py b/credential-management/support/fedcm/request-params-check.py
index 6c610e6..08c28e3 100644
--- a/credential-management/support/fedcm/request-params-check.py
+++ b/credential-management/support/fedcm/request-params-check.py
@@ -63,12 +63,16 @@
return (539, [], "Should not have Origin")
def tokenCheck(request):
- common_error = commonCheck(request)
+ common_error = commonCheck(request, b"cors")
if (common_error):
return common_error
common_credentialed_error = commonCredentialedRequestCheck(request)
if (common_credentialed_error):
return common_credentialed_error
+ # The value of the Sec-Fetch-Site header can vary depending on the IdP origin
+ # but it should not be 'none'.
+ if request.headers.get(b"Sec-Fetch-Site") == b"none":
+ return (538, [], "Wrong Sec-Fetch-Site header")
post_error = commonPostCheck(request)
if (post_error):
@@ -86,8 +90,9 @@
if (common_error):
return common_error
- if request.cookies.get(b"cookie") != b"1":
- return (537, [], "Missing cookie")
+ common_credentialed_error = commonCredentialedRequestCheck(request)
+ if (common_credentialed_error):
+ return common_credentialed_error
# The value of the Sec-Fetch-Site header can vary depending on the IdP origin
# but it should not be 'none'.
if request.headers.get(b"Sec-Fetch-Site") == b"none":
diff --git a/credential-management/support/fedcm/token_with_account_id.py b/credential-management/support/fedcm/token_with_account_id.py
index 52fb201..04e7b5b 100644
--- a/credential-management/support/fedcm/token_with_account_id.py
+++ b/credential-management/support/fedcm/token_with_account_id.py
@@ -7,6 +7,8 @@
return request_error
response.headers.set(b"Content-Type", b"application/json")
+ response.headers.set(b"Access-Control-Allow-Origin", request.headers.get(b"Origin"))
+ response.headers.set(b"Access-Control-Allow-Credentials", "true")
account_id = request.POST.get(b"account_id")
return "{\"token\": \"account_id=" + account_id.decode("utf-8") + "\"}"
diff --git a/credential-management/support/fedcm/token_with_auto_selected_flag.py b/credential-management/support/fedcm/token_with_auto_selected_flag.py
index 93ccf3e..3e011ce 100644
--- a/credential-management/support/fedcm/token_with_auto_selected_flag.py
+++ b/credential-management/support/fedcm/token_with_auto_selected_flag.py
@@ -7,6 +7,8 @@
return request_error
response.headers.set(b"Content-Type", b"application/json")
+ response.headers.set(b"Access-Control-Allow-Origin", request.headers.get(b"Origin"))
+ response.headers.set(b"Access-Control-Allow-Credentials", "true")
is_auto_selected = request.POST.get(b"is_auto_selected")
return "{\"token\": \"is_auto_selected=" + is_auto_selected.decode("utf-8") + "\"}"
diff --git a/credential-management/support/fedcm/token_with_http_error.py b/credential-management/support/fedcm/token_with_http_error.py
index c8d95ab..05b9945 100644
--- a/credential-management/support/fedcm/token_with_http_error.py
+++ b/credential-management/support/fedcm/token_with_http_error.py
@@ -7,6 +7,8 @@
return request_error
response.headers.set(b"Content-Type", b"application/json")
+ response.headers.set(b"Access-Control-Allow-Origin", request.headers.get(b"Origin"))
+ response.headers.set(b"Access-Control-Allow-Credentials", "true")
response.status = (403, b"Forbidden")
return "{\"token\": \"token\"}"
diff --git a/credential-management/support/fedcm/token_with_rp_mode.py b/credential-management/support/fedcm/token_with_rp_mode.py
index 5157364..add634c 100644
--- a/credential-management/support/fedcm/token_with_rp_mode.py
+++ b/credential-management/support/fedcm/token_with_rp_mode.py
@@ -7,6 +7,8 @@
return request_error
response.headers.set(b"Content-Type", b"application/json")
+ response.headers.set(b"Access-Control-Allow-Origin", request.headers.get(b"Origin"))
+ response.headers.set(b"Access-Control-Allow-Credentials", "true")
rp_mode = request.POST.get(b"mode")
return "{\"token\": \"mode=" + rp_mode.decode("utf-8") + "\"}"