Revert "[FedCM] Enable CORS in ID assertion endpoint"

This reverts commit b2cb1b55ae3c4f7b88a74a0ceb697646fde03a5b. Reason for revert: Causing issues to a real IDP Original change's description: > [FedCM] Enable CORS in ID assertion endpoint > > I2S: https://groups.google.com/a/chromium.org/g/blink-dev/c/gYoQJsaiD9E > > Bug: 4028412 > Change-Id: I61989f1e7a7578c2f59d87815e3ec2b51b7fc5be > Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5370086 > Reviewed-by: Nasko Oskov <[email protected]> > Reviewed-by: Christian Dullweber <[email protected]> > Reviewed-by: Mathias Bynens <[email protected]> > Commit-Queue: Nicolás Peña <[email protected]> > Cr-Commit-Position: refs/heads/main@{#1274203} Bug: 4028412 Change-Id: I4a518b55396d5aba676f0a15c9a515451dc11e86 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5381316 Reviewed-by: Christian Biesinger <[email protected]> Reviewed-by: Mathias Bynens <[email protected]> Commit-Queue: Nicolás Peña <[email protected]> Reviewed-by: Nasko Oskov <[email protected]> Reviewed-by: Christian Dullweber <[email protected]> Bot-Commit: Rubber Stamper <[email protected]> Cr-Commit-Position: refs/heads/main@{#1276213}
web-platform-tests · Mar 21, 2024 · fec79bd · fec79bd
1 parent 8d31767
commit fec79bd
Show file tree

Hide file tree

Showing 6 changed files with 3 additions and 18 deletions.
diff --git a/credential-management/support/fedcm/continue_on.py b/credential-management/support/fedcm/continue_on.py
@@ -7,8 +7,6 @@ def main(request, response):
     return request_error
 
   response.headers.set(b"Content-Type", b"application/json")
-  response.headers.set(b"Access-Control-Allow-Origin", request.headers.get(b"Origin"))
-  response.headers.set(b"Access-Control-Allow-Credentials", "true")
 
   account = request.POST.get(b"account_id").decode("utf-8")
   nonce = request.POST.get(b"nonce").decode("utf-8")

diff --git a/credential-management/support/fedcm/request-params-check.py b/credential-management/support/fedcm/request-params-check.py
@@ -63,16 +63,12 @@ def accountsCheck(request):
     return (539, [], "Should not have Origin")
 
 def tokenCheck(request):
-  common_error = commonCheck(request, b"cors")
+  common_error = commonCheck(request)
   if (common_error):
     return common_error
   common_credentialed_error = commonCredentialedRequestCheck(request)
   if (common_credentialed_error):
     return common_credentialed_error
-  # The value of the Sec-Fetch-Site header can vary depending on the IdP origin
-  # but it should not be 'none'.
-  if request.headers.get(b"Sec-Fetch-Site") == b"none":
-    return (538, [], "Wrong Sec-Fetch-Site header")
 
   post_error = commonPostCheck(request)
   if (post_error):
@@ -90,9 +86,8 @@ def revokeCheck(request):
   if (common_error):
     return common_error
 
-  common_credentialed_error = commonCredentialedRequestCheck(request)
-  if (common_credentialed_error):
-    return common_credentialed_error
+  if request.cookies.get(b"cookie") != b"1":
+    return (537, [], "Missing cookie")
   # The value of the Sec-Fetch-Site header can vary depending on the IdP origin
   # but it should not be 'none'.
   if request.headers.get(b"Sec-Fetch-Site") == b"none":

diff --git a/credential-management/support/fedcm/token_with_account_id.py b/credential-management/support/fedcm/token_with_account_id.py
@@ -7,8 +7,6 @@ def main(request, response):
     return request_error
 
   response.headers.set(b"Content-Type", b"application/json")
-  response.headers.set(b"Access-Control-Allow-Origin", request.headers.get(b"Origin"))
-  response.headers.set(b"Access-Control-Allow-Credentials", "true")
 
   account_id = request.POST.get(b"account_id")
   return "{\"token\": \"account_id=" + account_id.decode("utf-8") + "\"}"
diff --git a/credential-management/support/fedcm/token_with_auto_selected_flag.py b/credential-management/support/fedcm/token_with_auto_selected_flag.py
@@ -7,8 +7,6 @@ def main(request, response):
     return request_error
 
   response.headers.set(b"Content-Type", b"application/json")
-  response.headers.set(b"Access-Control-Allow-Origin", request.headers.get(b"Origin"))
-  response.headers.set(b"Access-Control-Allow-Credentials", "true")
 
   is_auto_selected = request.POST.get(b"is_auto_selected")
   return "{\"token\": \"is_auto_selected=" + is_auto_selected.decode("utf-8") + "\"}"
diff --git a/credential-management/support/fedcm/token_with_http_error.py b/credential-management/support/fedcm/token_with_http_error.py
@@ -7,8 +7,6 @@ def main(request, response):
     return request_error
 
   response.headers.set(b"Content-Type", b"application/json")
-  response.headers.set(b"Access-Control-Allow-Origin", request.headers.get(b"Origin"))
-  response.headers.set(b"Access-Control-Allow-Credentials", "true")
   response.status = (403, b"Forbidden")
 
   return "{\"token\": \"token\"}"
diff --git a/credential-management/support/fedcm/token_with_rp_mode.py b/credential-management/support/fedcm/token_with_rp_mode.py
@@ -7,8 +7,6 @@ def main(request, response):
     return request_error
 
   response.headers.set(b"Content-Type", b"application/json")
-  response.headers.set(b"Access-Control-Allow-Origin", request.headers.get(b"Origin"))
-  response.headers.set(b"Access-Control-Allow-Credentials", "true")
 
   rp_mode = request.POST.get(b"mode")
   return "{\"token\": \"mode=" + rp_mode.decode("utf-8") + "\"}"