From b9aff8f94cc0956d38939e02c99502811e1d2106 Mon Sep 17 00:00:00 2001
From: Chris Mills <chrisdavidmills@gmail.com>
Date: Mon, 16 Jan 2023 12:04:58 +0000
Subject: [PATCH 1/8] Add docs for FedCM API

---
 files/en-us/glossary/challenge/index.md       |   2 +-
 files/en-us/glossary/replay_attack/index.md   |  14 +
 files/en-us/web/api/credential/index.md       |   7 +-
 .../web/api/credentialscontainer/get/index.md |  48 ++-
 files/en-us/web/api/fedcm_api/index.md        | 307 ++++++++++++++++++
 .../web/api/federatedcredential/index.md      |   2 +
 .../en-us/web/api/identitycredential/index.md |  59 ++++
 .../web/api/identitycredential/token/index.md |  57 ++++
 files/jsondata/GroupData.json                 |   7 +
 9 files changed, 490 insertions(+), 13 deletions(-)
 create mode 100644 files/en-us/glossary/replay_attack/index.md
 create mode 100644 files/en-us/web/api/fedcm_api/index.md
 create mode 100644 files/en-us/web/api/identitycredential/index.md
 create mode 100644 files/en-us/web/api/identitycredential/token/index.md

diff --git a/files/en-us/glossary/challenge/index.md b/files/en-us/glossary/challenge/index.md
index 026036bd89e948f..9bb43e8ff8880b4 100644
--- a/files/en-us/glossary/challenge/index.md
+++ b/files/en-us/glossary/challenge/index.md
@@ -5,7 +5,7 @@ tags:
   - Security
 ---
 
-In security protocols, a _challenge_ is some data sent to the client by the server in order to generate a different response each time. Challenge-response protocols are one way to fight against [replay attacks](https://en.wikipedia.org/wiki/Replay_attack) where an attacker listens to the previous messages and resends them at a later time to get the same credentials as the original message.
+In security protocols, a _challenge_ is some data sent to the client by the server in order to generate a different response each time. Challenge-response protocols are one way to fight against {{glossary("replay attack", "replay attacks")}} where an attacker listens to the previous messages and resends them at a later time to get the same credentials as the original message.
 
 The [HTTP authentication protocol](/en-US/docs/Web/HTTP/Authentication) is challenge-response based, though the "Basic" protocol isn't using a real challenge (the realm is always the same).
 
diff --git a/files/en-us/glossary/replay_attack/index.md b/files/en-us/glossary/replay_attack/index.md
new file mode 100644
index 000000000000000..26d90d856b16bfa
--- /dev/null
+++ b/files/en-us/glossary/replay_attack/index.md
@@ -0,0 +1,14 @@
+---
+title: Replay attack
+slug: Glossary/Replay_attack
+tags:
+  - Security
+---
+
+In web security, a _replay attack_ is when an attacker intercepts a previously-sent message and resends it at a later time to get the same credentials as the original message, potentially with a different payload or instruction.
+
+Replay attacks can be prevented by including a unique, single-use identifier with each message that can be used by the receiver to verify the authenticity of the transmission. This can take the form of a session token or "number used only once" ("nonce").
+
+## See also
+
+- [Replay attack](https://en.wikipedia.org/wiki/Replay_attack) on Wikipedia.
diff --git a/files/en-us/web/api/credential/index.md b/files/en-us/web/api/credential/index.md
index 4c7467640bc3d14..13a0ce61da375e8 100644
--- a/files/en-us/web/api/credential/index.md
+++ b/files/en-us/web/api/credential/index.md
@@ -14,13 +14,14 @@ browser-compat: api.Credential
 
 {{APIRef("Credential Management API")}}{{securecontext_header}}
 
-The **`Credential`** interface of the [Credential Management API](/en-US/docs/Web/API/Credential_Management_API) provides information about an entity (usually a user) as a prerequisite to a trust decision.
+The **`Credential`** interface of the [Credential Management API](/en-US/docs/Web/API/Credential_Management_API) provides information about an entity (usually a user) normally as a prerequisite to a trust decision.
 
-`Credential` objects may be of 3 different types:
+`Credential` objects may be of four different types:
 
+- {{domxref("FederatedCredential")}}
+- {{domxref("IdentityCredential")}}
 - {{domxref("PasswordCredential")}}
 - {{domxref("PublicKeyCredential")}}
-- {{domxref("FederatedCredential")}}
 
 ## Instance properties
 
diff --git a/files/en-us/web/api/credentialscontainer/get/index.md b/files/en-us/web/api/credentialscontainer/get/index.md
index e8601e3ec0bbef1..3577c053ae1b483 100644
--- a/files/en-us/web/api/credentialscontainer/get/index.md
+++ b/files/en-us/web/api/credentialscontainer/get/index.md
@@ -50,11 +50,11 @@ get(options)
     to have, and options for interacting with the user. It can contain the following
     properties:
 
-    - `password`
+    - `password` {{optional_inline}}
       - : a boolean value indicating that returned
         {{domxref("Credential")}} instances should include user (as opposed to federated)
         credentials.
-    - `federated`
+    - `federated` {{optional_inline}}
 
       - : An object containing requirements for returned federated credentials. The available
         options are:
@@ -62,11 +62,19 @@ get(options)
         - `providers`
           - : An array of string instances of
             identity providers to search for.
-        - `protocols`
-          - : An array of string instances of
-            federation protocols to search for.
 
-    - `publicKey`
+    - `identity` {{optional_inline}}
+
+      - : An object containing details of federated identity providers (IdPs) that a relying party (RP) website can use to sign users in. Causes a `get()` call to initiate a request for a user to sign in to a RP with an IdP (see [Federated Credential Management API (FedCM)](/en-US/docs/Web/API/FedCM_API)). `identity` can contain a single property, `providers`, which contains an array of objects each specifying the details of a separate IdP:
+
+        - `configURL`
+          - : A string specifying the URL of the IdP's config file. See [Provide a config file](/en-US/docs/Web/API/FedCM_API#provide_a_config_file) for more information.
+        - `clientId`
+          - : A string specifying the the RP's client identifier, issued by the IdP to the RP in a completely separate process specific to the IdP.
+        - `nonce` {{optional_inline}}
+          - : A random string that can be included to ensure the response is issued for this specific request, and prevent {{glossary("replay attack", "replay attacks")}}.
+
+    - `publicKey` {{optional_inline}}
       - : An object containing requirements for returned [WebAuthn](/en-US/docs/Web/API/Web_Authentication_API) credentials. The available options are:
         - `challenge`
           - : An {{jsxref("ArrayBuffer")}}, a {{jsxref("TypedArray")}}, or a {{jsxref("DataView")}} emitted by the relying party's server and used as a [cryptographic challenge](https://en.wikipedia.org/wiki/Challenge%E2%80%93response_authentication). This value will be signed by the authenticator and the signature will be sent back as part of {{domxref("AuthenticatorAssertionResponse.signature")}}.
@@ -80,15 +88,15 @@ get(options)
           - : A string qualifying how the user verification should be part of the authentication process.
         - `extensions` {{optional_inline}}
           - : An object with several client extensions' inputs. Those extensions are used to request additional processing (e.g. dealing with legacy FIDO APIs credentials, prompting a specific text on the authenticator, etc.).
-    - `mediation`
+    - `mediation` {{optional_inline}}
       - : A {{jsxref("String")}} indicating whether the user will
         be required to log on for every visit to the website. Valid values are
         `"silent"`, `"optional"`, `"conditional"`, or `"required"`.
-    - `unmediated` {{deprecated_inline}}
+    - `unmediated` {{optional_inline}} {{deprecated_inline}}
       - : A boolean value
         indicating the returned {{domxref("Credential")}} instance should not require user
         mediation.
-    - `signal`
+    - `signal` {{optional_inline}}
       - : An instance of {{domxref("AbortSignal")}} that can indicate
         that an ongoing `get()` operation should be halted. An aborted
         operation may complete normally (generally if the abort was received after the
@@ -106,6 +114,28 @@ obtained, the Promise will resolve to null.
 - `SecurityError` {{domxref("DOMException")}}
   - : Use of this feature was blocked by a [Permissions Policy](/en-US/docs/Web/HTTP/Permissions_Policy).
 
+## Examples
+
+### Relying party sign-in using the FedCM API
+
+Relying parties (RPs) can call `navigator.credentials.get()` with the `identity` option to make a request for users to sign in to the RP via an identity provider (IdP), using identity federation. A typical request would look like this:
+
+```js
+async function signIn() {
+  const identityCredential = await navigator.credentials.get({
+    identity: {
+      providers: [{
+        configURL: 'https://accounts.idp.example/config.json',
+        clientId: '********',
+        nonce: '******'
+      }]
+    }
+  });
+}
+```
+
+Check out [Federated Credential Management API (FedCM)](/en-US/docs/Web/API/FedCM_API#fedcm_sign-in_flow) for more details on how this works. This call will start off the sign-in flow described in [FedCM sign-in flow](http://localhost:5042/en-US/docs/Web/API/FedCM_API#fedcm_sign-in_flow).
+
 ## Specifications
 
 {{Specifications}}
diff --git a/files/en-us/web/api/fedcm_api/index.md b/files/en-us/web/api/fedcm_api/index.md
new file mode 100644
index 000000000000000..6828f9a62bf1fc4
--- /dev/null
+++ b/files/en-us/web/api/fedcm_api/index.md
@@ -0,0 +1,307 @@
+---
+title: Federated Credential Management API (FedCM)
+slug: Web/API/FedCM_API
+page-type: web-api-overview
+tags:
+  - API
+  - Experimental
+  - Overview
+  - Reference
+browser-compat:
+  - api.IdentityCredential
+---
+
+{{SeeCompatTable}}{{DefaultAPISidebar("FedCM API")}}
+
+The Federated Credential Management API (FedCM) API provides a standard mechanism for identity providers to enable identity federation services in a privacy-preserving way, without relying on third-party cookies and redirects, and a JavaScript API for sites that rely on those services for sign-in functionality to make use of them.
+
+## FedCM concepts
+
+Identity federation is the delegation of user authentication from a website that requires user sign-in such as an e-commerce or social networking site (also known as a relying party or RP) to a trusted third party identity provider (IdP). Users will sign up an account with the IdP, which can then be used to sign-in to one or more RPs. Identity federation via a small set of dedicated identity providers has improved web authentication in terms of security, consumer confidence, and user experience, versus having every site handling their own sign-in needs with a separate username and password.
+
+The problem is that traditional identity federation relies on {{htmlelement("iframe")}}s, redirects, and third-party cookies, which are also used for third-party tracking. Browsers are limiting the usage of these features in an effort to preserve user privacy, but a side effect is that this makes valid, non-tracking uses more difficult to implement, and this includes identity federation.
+
+Affected identity federation use cases that rely on third-party cookies:
+
+- [OIDC front-channel logout](https://openid.net/specs/openid-connect-frontchannel-1_0.html): This flow requires the IDP to embed several RP `<iframe>`s, which rely on RP cookies.
+- Social Widgets: In order to provide social widgets, the IdP third-party cookie must be provided from the RP top-level origin.
+- Personalized buttons: The display of personalized sign in information on a {{htmlelement("button")}} in the RP origin is implemented as an IdP `<iframe>` that requires third party cookies.
+- Session Refresh without top-level navigation or popups.
+
+FedCM aims to work around this problem, providing a dedicated machanism for federated identity flows on the web, and enabling supporting browsers to provide special UI elements on RPs, allowing users to choose an IdP account to use for sign-in.
+
+There are two sides to using the FedCM API — IdP integration with FedCM, and RP sign-in using the JavaScript API.
+
+## IdP integration with FedCM
+
+To integrate with FedCM, an identity provider needs to do the following:
+
+1. Provide a well-known file to identify the IdP.
+2. Provide a config file and endpoints for accounts list and assertion issuance (and optionally, client metadata).
+
+### Provide a well-known file
+
+There is a potential privacy issue whereby an [IdP is able to discern whether a user visited an RP without explicit consent](https://github.com/fedidcg/FedCM/issues/230). This has tracking implications, so an IdP is required to provide a well-known file to verify its identity and mitigate this issue.
+
+The well-known file must be served from the [eTLD+1](https://web.dev/same-site-same-origin/#site) of the IdP at `/.well-known/web-identity`.
+
+For example, if the IdP endpoints are served under `https://accounts.idp.example/`, they must serve a well-known file at `https://idp.example/.well-known/web-identity`. The well-known file's content should look have the following JSON structure:
+
+```json
+{
+  "provider_urls": ["https://accounts.idp.example/config.json"]
+}
+```
+
+The `provider_urls` member should contain an array of URLs pointing to valid IdP config files that can be used by RPs to inteact with the IdP. The array length is current limited to one.
+
+### Provide a config file
+
+The IdP config file provides a list of the endpoints required by the browser to process the identity federation flow and sign the user in. IdPs will host this config file and the required endpoints.
+
+The config file (hosted at `https://accounts.idp.example/config.json` in our example) should have the following JSON structure:
+
+```json
+{
+  "accounts_endpoint": "/accounts.php",
+  "client_metadata_endpoint": "/client_metadata.php",
+  "id_assertion_endpoint": "/assertion.php",
+  "branding": {
+    "background_color": "green",
+    "color": "0xFFEEAA",
+    "icons": [{
+      "url": "https://idp.example/icon.ico",
+      "size": 25
+    }]
+  }
+}
+```
+
+The properties are as follows:
+
+- `accounts_endpoint`
+  - : The URL for the accounts list endpoint, which returns a list of accounts that the user is currently signed in to on the IdP. The browser uses these to create a list of sign-in choices to show to the user in the sign-in UI.
+- `client_metadata_endpoint` {{optional_inline}}
+  - : The URL for the client metadata endpoint, which provides URLs pointing to the RP's metadata and terms of service pages, to be used in the browser-supplied sign-in UI.
+- `id_assertion_endpoint`
+  - : The URL for the ID assertion endpoint, which when sent valid user credentials should respond with a validation token that the RP can use to validate the authentication.
+- `branding` {{optional_inline}}
+  - : Contains branding information that will be used in the browser-supplied sign-in UI to customize its appearence as desired by the IdP.
+
+#### The accounts list endpoint
+
+This endpoint returns a list of all the IdP accounts that the user is currently signed in with, with a JSON structure that matches the following:
+
+```json
+{
+ "accounts": [{
+   "id": "1234",
+   "given_name": "John",
+   "name": "John Doe",
+   "email": "john_doe@idp.example",
+   "picture": "https://idp.example/profile/123",
+   "approved_clients": ["123", "456", "789"],
+  }, {
+   "id": "5678",
+   "given_name": "Johnny",
+   "name": "Johnny",
+   "email": "johnny@idp.example",
+   "picture": "https://idp.example/profile/456"
+   "approved_clients": ["abc", "def", "ghi"],
+  }]
+}
+```
+
+This includes the following information:
+
+- `id`
+  - : The unique ID of the user.
+- `name`
+  - : The family name of the user.
+- `email`
+  - : The email address of the user.
+- `given_name` {{optional_inline}}
+  - : The given name of the user.
+- `picture` {{optional_inline}}
+  - : The URL of the user's avatar image.
+- `approved_clients` {{optional_inline}}
+  - : An array of RP clients that the user has registered with.
+
+> **Note:**: If the user is not signed in to any IdP accounts, the endpoint should respond with [HTTP 401 (Unauthorized)](/en-US/docs/Web/HTTP/Status/401).
+
+#### The client metadata endpoint
+
+Provides URLs pointing to the RP's metadata and terms of service pages, to be used in the browser-supplied sign-in UI. This should follow the JSON structure seen below:
+
+```json
+{
+  "privacy_policy_url": "https://rp.example/privacy_policy.html",
+  "terms_of_service_url": "https://rp.example/terms_of_service.html",
+}
+```
+
+#### The ID assertion endpoint
+
+When sent valid user credentials, this endpoint should respond with a validation token that the RP can use to validate the authentication:
+
+```json
+{
+  "token": "***********"
+}
+```
+
+## RP sign-in using the JavaScript API
+
+RPs can call {{domxref("CredentialsContainer.get", "navigator.credentials.get()")}} with an `identity` option to make a request for users to sign in to the RP with the IdP, using the available IdP config and endpoints (as described above). A typical request would look like this:
+
+```js
+async function signIn() {
+  const identityCredential = await navigator.credentials.get({
+    identity: {
+      providers: [{
+        configURL: 'https://accounts.idp.example/config.json',
+        clientId: '********',
+        nonce: '******'
+      }]
+    }
+  });
+}
+```
+
+The `identity.providers` property takes an array of objects containing the path to an IdP config file, the RP's client identifier issued by the IdP, and an optional random nonce that ensures the response is issued for this specific request, preventing {{glossary("replay attack", "replay attacks")}}.
+
+The browser requests the IdP config file and carries out the sign-in flow detailed below. For more information on the kind of interaction a user might expect from the browser-supplied UI, see [Sign in to the relying party with the identity provider](https://developer.chrome.com/docs/privacy-sandbox/fedcm/#sign-into-rp).
+
+### FedCM sign-in flow
+
+1. The RP invokes {{domxref("CredentialsContainer.get", "navigator.credentials.get()")}} to start off the sign-in flow.
+
+2. From the `configURL` provided in the `get()` call, the browser requests two files:
+   1. The well-known file (`/.well-known/web-identity`), available from `/.well-known/web-identity` at the [eTLD+1](https://web.dev/same-site-same-origin/#site) of the `configURL`.
+   2. The config file (`/config.json`), available at the `configURL`.
+
+   These are both a [`GET`](/en-US/docs/Web/HTTP/Methods/GET) requests, which don't have cookies and don't follow redirects. This effectively prevents the IdP from learning who made the request and which RP is attempting to connect.
+
+   For example, the config file request would look like so:
+
+   ```http
+   GET /config.json HTTP/1.1
+   Host: accounts.idp.example
+   Accept: application/json
+   Sec-Fetch-Dest: webidentity
+   ```
+
+   > **Note:** All requests sent from the browser via FedCM include a `Sec-Fetch-Dest: webidentity` header to prevent {{glossary("CSRF")}} attacks. All IdP endpoints must confirm this header is included.
+
+3. The IdP responds with the requested files. The config file URL is validated against the list of valid config URLs inside the well-known file.
+
+4. The browser makes a request to the `accounts_endpoint` inside the config file for the list of accounts that the user is currently signed in to on the IdP. This is a `GET` request with cookies, but without a `client_id` parameter or the {{httpheader("Referer")}} header. This effectively prevents the IdP from learning which RP the user is trying to sign in to.
+
+   For example:
+
+   ```http
+   GET /accounts.php HTTP/1.1
+   Host: accounts.idp.example
+   Accept: application/json
+   Cookie: 0x23223
+   Sec-Fetch-Dest: webidentity
+   ```
+
+5. The IdP responds with the account information.
+
+6. {{optional_inline}} If included in the config file, the browser makes a request to the `client_metadata_endpoint` for the location of the RP's terms of service and privacy policy pages. This is a `GET` request sent with the `clientId` passed into the `get()` call included as a parameter, and without cookies.
+
+   For example:
+
+   ```http
+   GET /client_metadata.php?client_id=1234 HTTP/1.1
+   Host: accounts.idp.example
+   Referer: https://rp.example/
+   Accept: application/json
+   Sec-Fetch-Dest: webidentity
+   ```
+
+7. {{optional_inline}} The IdP responds with the requested URLs.
+
+8. The browser uses the information obtained by the previous two requests to create the UI asking the user for permission to sign in to the RP using their federated IdP account.
+
+9. If the user grants permission to do so, the browser sends some credentials to the `id_assertion_endpoint` and requests a validation token from the IdP.
+
+   The credentials are sent in an HTTP [`POST`](/en-US/docs/Web/HTTP/Methods/POST) request with cookies and a content type of `application/x-www-form-urlencoded`. It should look something like this:
+
+   ```http
+   POST /assertion.php HTTP/1.1
+   Host: accounts.idp.example
+   Referer: https://rp.example/
+   Content-Type: application/x-www-form-urlencoded
+   Cookie: 0x23223
+   Sec-Fetch-Dest: webidentity
+   account_id=123&client_id=client1234&nonce=Ct60bD&disclosure_text_shown=true
+   ```
+
+   The payload should contain the following:
+
+   - `client_id`
+     - : The RP's client identifier.
+   - `account_id`
+     - : The unique ID of the user to be signed in.
+   - `nonce` {{optional_inline}}
+     - : The request nonce, provided by the RP.
+   - `disclosure_text_shown`
+     - : A string of "true" or "false" indicating whether the disclosure text was shown or not. The disclosure text is the information shown to the user (which can include the terms of service and privacy policy links, if provided) if the user is signed in to the IdP but doesn't have an account specifically on the current RP (in which case they'd need to choose to "Continue as..." their IdP identity and then create a corresponding account on the RP).
+
+10. The IdP checks that the account ID sent by the RP matches the ID for the account that is already signed in, and that the `Referer` matches the origin of the RP, which will have been registered in advance with the IdP. If everything looks good, it responds with the validation token.
+
+   > **Note:** The origin of the RP will be registered with the IdP in a completely separate process when the RP first integrates with the IdP. This process will be specific to each IdP.
+
+   The RP validates the validation token. If validation is successful, the `get()` promise resolves with an {{domxref("IdentityCredential")}} object, which provides further RP functionality. Additionally, at this point the RP may register the user or let them sign in and start a new session.
+
+### Features available via IdentityCredential
+
+The {{domxref("IdentityCredential")}} object obtained from a successful FedCM sign-in provides access to the token used to validate the sign-in (see {{domxref("IdentityCredential.token")}}).
+
+## IFrame support
+
+FedCM is usable from within {{htmlelement("iframe")}}s, enabling a couple of use cases:
+
+- Larger sites won't want a third-party sign-in script to gain control over the top-level frame; instead they will want to add that script and invoke FedCM from within an {{htmlelement("iframe")}}.
+- Some `<iframes>` may themselves require federated sign-in.
+
+The {{httpheader("Permissions-Policy/identity-credentials-get", "identity-credentials-get")}} [Permissions-Policy](/en-US/docs/Web/HTTP/Permissions_Policy) can be used to control Permission to use FedCM, more specifically usage of the {{domxref("CredentialsContainer.get", "navigator.credentials.get()")}} method.
+
+A developer can explicitly grant permission for an `<iframe>` to use FedCM via the `allow` attribute:
+
+```html
+<iframe src="3rd-party.example" allow="identity-credentials-get"></iframe> 
+```
+
+## Interfaces
+
+- {{domxref("IdentityCredential")}}
+  - : Represents a user identity credential arising from a successful federated sign-in. A successful {{domxref("CredentialsContainer.get", "navigator.credentials.get()")}} call that includes an `identity` option fulfills with an {{domxref("IdentityCredential")}} instance.
+
+## Extensions to other interfaces
+
+- {{domxref("CredentialsContainer.get()")}}, the `identity` option.
+  - : `identity` is an object containing details of federated identity providers (IdPs) that a relying party (RP) website can use to sign users in. Causes a `get()` call to initiate a request for a user to sign in to a RP with an IdP.
+
+## Examples
+
+- [FedCM sign-in example](https://fedcm-rp-demo.glitch.me/)
+  - [RP source code](https://glitch.com/edit/#!/fedcm-rp-demo?path=server.js%3A1%3A0)
+  - [IdP source code](https://glitch.com/edit/#!/fedcm-idp-demo?path=server.js%3A1%3A0)
+- [FedCM `<iframe>` sign-in](https://fedcm-main-frame.glitch.me/)
+  - [RP `<iframe>` page source code](https://glitch.com/edit/#!/fedcm-main-frame?path=index.html%3A1%3A0)
+  - [IdP source code](https://glitch.com/edit/#!/webid-fcm-idp-single?path=server.js%3A1%3A0)
+
+## Specifications
+
+{{Specifications}}
+
+## Browser compatibility
+
+{{Compat}}
+
+## See also
+
+- [Federated Credential Management API](https://developer.chrome.com/docs/privacy-sandbox/fedcm/)
diff --git a/files/en-us/web/api/federatedcredential/index.md b/files/en-us/web/api/federatedcredential/index.md
index 0ddd9df12e6f9ee..44de6e14484296b 100644
--- a/files/en-us/web/api/federatedcredential/index.md
+++ b/files/en-us/web/api/federatedcredential/index.md
@@ -17,6 +17,8 @@ browser-compat: api.FederatedCredential
 
 The **`FederatedCredential`** interface of the [Credential Management API](/en-US/docs/Web/API/Credential_Management_API) provides information about credentials from a federated identity provider. A federated identity provider is an entity that a website trusts to correctly authenticate a user, and that provides an API for that purpose. [OpenID Connect](https://openid.net/developers/specs/) is an example of a federated identity provider framework.
 
+> **Note:** The newer [Federated Credential Management API (FedCM)](/en-US/docs/Web/API/FedCM_API) provides a more complete solution for handling identity federation in the browser, and uses the {{domxref("IdentityCredential")}} type.
+
 In browsers that support it, an instance of this interface may be passed in the `credential` member of the `init` object for global {{domxref('fetch()')}}.
 
 {{InheritanceDiagram}}
diff --git a/files/en-us/web/api/identitycredential/index.md b/files/en-us/web/api/identitycredential/index.md
new file mode 100644
index 000000000000000..7c0179ee407791e
--- /dev/null
+++ b/files/en-us/web/api/identitycredential/index.md
@@ -0,0 +1,59 @@
+---
+title: IdentityCredential
+slug: Web/API/IdentityCredential
+page-type: web-api-interface
+tags:
+  - API
+  - Experimental
+  - IdentityCredential
+  - Interface
+  - Reference
+browser-compat: api.IdentityCredential
+---
+
+{{APIRef("FedCM API")}}{{SeeCompatTable}}
+
+The **`IdentityCredential`** interface of the [Federated Credential Management API (FedCM)](/en-US/docs/Web/API/FedCM_API) represents a user identity credential arising from a successful federated sign-in.
+
+{{InheritanceDiagram}}
+
+## Instance properties
+
+_Inherits properties from its ancestor, {{domxref("Credential")}}._
+
+- {{domxref("IdentityCredential.token")}} {{experimental_inline}}
+  - : Returns a {{jsxref("Promise")}} that resolves with the {{domxref("Credential")}} instance that matches the provided parameters.
+
+## Examples
+
+Relying parties (RPs) can call `navigator.credentials.get()` with the `identity` option to make a request for users to sign in to the RP via an identity provider (IdP), using identity federation. A typical request would look like this:
+
+```js
+async function signIn() {
+  const identityCredential = await navigator.credentials.get({
+    identity: {
+      providers: [{
+        configURL: 'https://accounts.idp.example/config.json',
+        clientId: '********',
+        nonce: '******'
+      }]
+    }
+  });
+}
+```
+
+A successful {{domxref("CredentialsContainer.get", "navigator.credentials.get()")}} call that includes an `identity` option fulfills with an `IdentityCredential` instance.
+
+Check out [Federated Credential Management API (FedCM)](/en-US/docs/Web/API/FedCM_API#fedcm_sign-in_flow) for more details on how this works. This call will start off the sign-in flow described in [FedCM sign-in flow](http://localhost:5042/en-US/docs/Web/API/FedCM_API#fedcm_sign-in_flow).
+
+## Specifications
+
+{{Specifications}}
+
+## Browser compatibility
+
+{{Compat}}
+
+## See also
+
+- [Federated Credential Management API](https://developer.chrome.com/docs/privacy-sandbox/fedcm/)
diff --git a/files/en-us/web/api/identitycredential/token/index.md b/files/en-us/web/api/identitycredential/token/index.md
new file mode 100644
index 000000000000000..fcbb28268333051
--- /dev/null
+++ b/files/en-us/web/api/identitycredential/token/index.md
@@ -0,0 +1,57 @@
+---
+title: IdentityCredential.token
+slug: Web/API/IdentityCredential/token
+page-type: web-api-instance-property
+tags:
+  - API
+  - Experimental
+  - Property
+  - Read-only
+  - Reference
+  - token
+browser-compat: api.IdentityCredential.token
+---
+
+{{APIRef("FedCM API")}}{{SeeCompatTable}}
+
+The **`token`** read-only property of the {{domxref("IdentityCredential")}} interface returns the token used to validate the associated sign-in.
+
+## Value
+
+A string.
+
+## Examples
+
+Relying parties (RPs) can call `navigator.credentials.get()` with the `identity` option to make a request for users to sign in to the RP via an identity provider (IdP), using identity federation. A typical request would look like this:
+
+```js
+async function signIn() {
+  const identityCredential = await navigator.credentials.get({
+    identity: {
+      providers: [{
+        configURL: 'https://accounts.idp.example/config.json',
+        clientId: '********',
+        nonce: '******'
+      }]
+    }
+  });
+
+  console.log(identityCredential.token);
+}
+```
+
+A successful {{domxref("CredentialsContainer.get", "navigator.credentials.get()")}} call that includes an `identity` option fulfills with an `IdentityCredential` instance, which can be used to access the token used to validate the sign-in.
+
+Check out [Federated Credential Management API (FedCM)](/en-US/docs/Web/API/FedCM_API#fedcm_sign-in_flow) for more details on how this works. This call will start off the sign-in flow described in [FedCM sign-in flow](http://localhost:5042/en-US/docs/Web/API/FedCM_API#fedcm_sign-in_flow).
+
+## Specifications
+
+{{Specifications}}
+
+## Browser compatibility
+
+{{Compat}}
+
+## See also
+
+- [Federated Credential Management API](https://developer.chrome.com/docs/privacy-sandbox/fedcm/)
diff --git a/files/jsondata/GroupData.json b/files/jsondata/GroupData.json
index dc7db879bcb2e62..8daf0d796a73104 100644
--- a/files/jsondata/GroupData.json
+++ b/files/jsondata/GroupData.json
@@ -412,6 +412,13 @@
       "properties": [],
       "events": []
     },
+    "FedCM API": {
+      "overview": ["FedCM API"],
+      "interfaces": ["IdentityCredential"],
+      "methods": ["CredentialsContainer.get()"],
+      "properties": [],
+      "events": []
+    },
     "Fetch API": {
       "overview": ["Fetch API"],
       "guides": [

From f100d682ac73652e0074f6f62b21b8c9f39d0f93 Mon Sep 17 00:00:00 2001
From: Chris Mills <chrisdavidmills@gmail.com>
Date: Mon, 16 Jan 2023 12:07:33 +0000
Subject: [PATCH 2/8] Add docs for FedCM API

---
 files/en-us/web/api/fedcm_api/index.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/files/en-us/web/api/fedcm_api/index.md b/files/en-us/web/api/fedcm_api/index.md
index 6828f9a62bf1fc4..695b4bab5ac8294 100644
--- a/files/en-us/web/api/fedcm_api/index.md
+++ b/files/en-us/web/api/fedcm_api/index.md
@@ -252,9 +252,9 @@ The browser requests the IdP config file and carries out the sign-in flow detail
 
 10. The IdP checks that the account ID sent by the RP matches the ID for the account that is already signed in, and that the `Referer` matches the origin of the RP, which will have been registered in advance with the IdP. If everything looks good, it responds with the validation token.
 
-   > **Note:** The origin of the RP will be registered with the IdP in a completely separate process when the RP first integrates with the IdP. This process will be specific to each IdP.
+  > **Note:** The origin of the RP will be registered with the IdP in a completely separate process when the RP first integrates with the IdP. This process will be specific to each IdP.
 
-   The RP validates the validation token. If validation is successful, the `get()` promise resolves with an {{domxref("IdentityCredential")}} object, which provides further RP functionality. Additionally, at this point the RP may register the user or let them sign in and start a new session.
+When the flow is complete, the RP validates the validation token. If validation is successful, the `get()` promise resolves with an {{domxref("IdentityCredential")}} object, which provides further RP functionality. Additionally, at this point the RP may register the user or let them sign in and start a new session.
 
 ### Features available via IdentityCredential
 

From f8508305954aefc28155a55b34fdab7927985c47 Mon Sep 17 00:00:00 2001
From: Chris Mills <chrisdavidmills@gmail.com>
Date: Mon, 16 Jan 2023 13:58:13 +0000
Subject: [PATCH 3/8] Add identity-credentials-get Permissions-Policy info

---
 .../web/api/credentialscontainer/get/index.md | 29 ++++++------
 files/en-us/web/api/fedcm_api/index.md        | 16 +++----
 .../identity-credentials-get/index.md         | 45 +++++++++++++++++++
 .../http/headers/permissions-policy/index.md  |  3 ++
 4 files changed, 70 insertions(+), 23 deletions(-)
 create mode 100644 files/en-us/web/http/headers/permissions-policy/identity-credentials-get/index.md

diff --git a/files/en-us/web/api/credentialscontainer/get/index.md b/files/en-us/web/api/credentialscontainer/get/index.md
index 3577c053ae1b483..831f2d45ad261d3 100644
--- a/files/en-us/web/api/credentialscontainer/get/index.md
+++ b/files/en-us/web/api/credentialscontainer/get/index.md
@@ -17,8 +17,7 @@ browser-compat: api.CredentialsContainer.get
 
 The **`get()`** method of the
 {{domxref("CredentialsContainer")}} interface returns a {{jsxref("Promise")}} to a
-single {{domxref("Credential")}} instance that matches the provided parameters. If no
-match is found the Promise will resolve to null.
+single {{domxref("Credential")}} instance that matches the provided parameters.
 
 This method first collects all credentials in the {{domxref("CredentialsContainer")}}
 that meet the necessary criteria (defined in the **`options`**
@@ -26,13 +25,7 @@ argument). From the resulting set of credentials, it then selects the best one.
 Depending on the options, it may display a dialog to the user and ask the user to make
 the selection.
 
-This method collects credentials by calling the "CollectFromCredentialStore" method for
-each credential type allowed by the **`options`** argument. For
-example: if options.password exists, then the
-{{domxref("PasswordCredential")}}.\[\[CollectFromCredentialStore]] is called.
-
-> **Note:** This method is restricted to top-level contexts. Calls to it within an
-> `<iframe>` element will resolve without effect.
+> **Note:** Usage of this feature may be blocked by an {{httpheader("Permissions-Policy/identity-credentials-get", "identity-credentials-get")}} or {{HTTPHeader("Permissions-Policy/publickey-credentials-get","publickey-credentials-get")}} [Permissions Policy](/en-US/docs/Web/HTTP/Permissions_Policy) set on your server.
 
 ## Syntax
 
@@ -45,7 +38,7 @@ get(options)
 
 - `options` {{optional_inline}}
 
-  - : An object of type {{domxref("CredentialRequestOptions")}} that contains options for
+  - : An object that contains options for
     the request. The options include criteria that the credentials are required or allowed
     to have, and options for interacting with the user. It can contain the following
     properties:
@@ -106,13 +99,17 @@ get(options)
 ### Return value
 
 A {{jsxref("Promise")}} that resolves with a {{domxref("Credential")}} instance that
-matches the provided parameters. If a single Credential cannot be unambiguously
-obtained, the Promise will resolve to null.
+matches the provided parameters. If a single credential cannot be unambiguously
+obtained, the Promise will resolve to `null`.
 
 ### Exceptions
 
+- `NetworkError` {{domxref("DOMException")}}
+  - : In the case of a `get()` call with an `identity` option, this exception is thrown if the IdP does not respond within 60 seconds, or if the provided credentials are not valid/found.
+- `NotAllowedError` {{domxref("DOMException")}}
+  - : Use of this feature was blocked by an {{HTTPHeader("Permissions-Policy/identity-credentials-get","identity-credentials-get")}} [Permissions Policy](/en-US/docs/Web/HTTP/Permissions_Policy).
 - `SecurityError` {{domxref("DOMException")}}
-  - : Use of this feature was blocked by a [Permissions Policy](/en-US/docs/Web/HTTP/Permissions_Policy).
+  - : Use of this feature was blocked by a {{HTTPHeader("Permissions-Policy/publickey-credentials-get","publickey-credentials-get")}} [Permissions Policy](/en-US/docs/Web/HTTP/Permissions_Policy).
 
 ## Examples
 
@@ -146,5 +143,7 @@ Check out [Federated Credential Management API (FedCM)](/en-US/docs/Web/API/FedC
 
 ## See also
 
-- {{HTTPHeader("Permissions-Policy")}} directive
-  {{HTTPHeader("Permissions-Policy/publickey-credentials-get","publickey-credentials-get")}}
+- [Federated Credential Management API (FedCM)](/en-US/docs/Web/API/FedCM_API)
+- {{HTTPHeader("Permissions-Policy")}} directives:
+  - {{HTTPHeader("Permissions-Policy/identity-credentials-get","identity-credentials-get")}}
+  - {{HTTPHeader("Permissions-Policy/publickey-credentials-get","publickey-credentials-get")}}
diff --git a/files/en-us/web/api/fedcm_api/index.md b/files/en-us/web/api/fedcm_api/index.md
index 695b4bab5ac8294..48e16106f57e8f8 100644
--- a/files/en-us/web/api/fedcm_api/index.md
+++ b/files/en-us/web/api/fedcm_api/index.md
@@ -260,21 +260,21 @@ When the flow is complete, the RP validates the validation token. If validation
 
 The {{domxref("IdentityCredential")}} object obtained from a successful FedCM sign-in provides access to the token used to validate the sign-in (see {{domxref("IdentityCredential.token")}}).
 
-## IFrame support
+## Permissions Policy integration and IFrame support
 
-FedCM is usable from within {{htmlelement("iframe")}}s, enabling a couple of use cases:
+The {{httpheader("Permissions-Policy/identity-credentials-get", "identity-credentials-get")}} [Permissions-Policy](/en-US/docs/Web/HTTP/Permissions_Policy) can be used to control permission to use FedCM, more specifically usage of the {{domxref("CredentialsContainer.get", "navigator.credentials.get()")}} method.
 
-- Larger sites won't want a third-party sign-in script to gain control over the top-level frame; instead they will want to add that script and invoke FedCM from within an {{htmlelement("iframe")}}.
-- Some `<iframes>` may themselves require federated sign-in.
-
-The {{httpheader("Permissions-Policy/identity-credentials-get", "identity-credentials-get")}} [Permissions-Policy](/en-US/docs/Web/HTTP/Permissions_Policy) can be used to control Permission to use FedCM, more specifically usage of the {{domxref("CredentialsContainer.get", "navigator.credentials.get()")}} method.
-
-A developer can explicitly grant permission for an `<iframe>` to use FedCM via the `allow` attribute:
+Developers can explicitly grant permission for an {{htmlelement("iframe")}} to use FedCM via the `allow` attribute:
 
 ```html
 <iframe src="3rd-party.example" allow="identity-credentials-get"></iframe> 
 ```
 
+The availability of FedCM within `<iframe>`s enables a couple of use cases:
+
+- Larger sites won't want a third-party sign-in script to gain control over the top-level frame; instead they will want to add that script and invoke FedCM from within an {{htmlelement("iframe")}}.
+- Some `<iframes>` may themselves require federated sign-in.
+
 ## Interfaces
 
 - {{domxref("IdentityCredential")}}
diff --git a/files/en-us/web/http/headers/permissions-policy/identity-credentials-get/index.md b/files/en-us/web/http/headers/permissions-policy/identity-credentials-get/index.md
new file mode 100644
index 000000000000000..e1199d165878487
--- /dev/null
+++ b/files/en-us/web/http/headers/permissions-policy/identity-credentials-get/index.md
@@ -0,0 +1,45 @@
+---
+title: 'Permissions-Policy: identity-credentials-get'
+slug: Web/HTTP/Headers/Permissions-Policy/identity-credentials-get
+tags:
+  - Directive
+  - Permissions Policy
+  - Permissions-Policy
+  - HTTP
+  - Reference
+  - Experimental
+browser-compat: http.headers.Permissions-Policy.identity-credentials-get
+---
+
+{{HTTPSidebar}}{{SeeCompatTable}}
+
+The HTTP {{HTTPHeader("Permissions-Policy")}} header `identity-credentials-get` directive controls whether the current document is allowed to use the [Federated Credential Management API (FedCM)](/en-US/docs/Web/API/FedCM_API), and more specifically the {{domxref("CredentialsContainer.get", "navigator.credentials.get()")}} method with an `identity` option.
+
+Where this policy forbids use of the API, the {{jsxref("Promise")}} returned by the `get()` call will reject with a `NotAllowedError` {{domxref("DOMException")}}.
+
+## Syntax
+
+```http
+Permissions-Policy: identity-credentials-get=<allowlist>;
+```
+
+- `<allowlist>`
+  - : A list of origins for which permission is granted to use the feature. See [`Permissions-Policy` > Syntax](/en-US/docs/Web/HTTP/Headers/Permissions-Policy#syntax) for more details.
+
+## Default policy
+
+The default allowlist for `identity-credentials-get` is `self`.
+
+## Specifications
+
+{{Specifications}}
+
+## Browser compatibility
+
+{{Compat}}
+
+## See also
+
+- [Federated Credential Management API (FedCM)](/en-US/docs/Web/API/FedCM_API)
+- {{HTTPHeader("Permissions-Policy")}} header
+- [Permissions Policy](/en-US/docs/Web/HTTP/Permissions_Policy)
diff --git a/files/en-us/web/http/headers/permissions-policy/index.md b/files/en-us/web/http/headers/permissions-policy/index.md
index 1daf5783f453d47..4b53cc5823fcdea 100644
--- a/files/en-us/web/http/headers/permissions-policy/index.md
+++ b/files/en-us/web/http/headers/permissions-policy/index.md
@@ -116,6 +116,9 @@ You can specify
 - {{httpheader('Permissions-Policy/hid','hid')}} {{Experimental_Inline}}
   - : Controls whether the current document is allowed to use the {{domxref("WebHID API", "WebHID API", "", "nocode")}} to connect to uncommon or exotic human interface devices such as alternative keyboards or gamepads.
 
+- {{httpheader('Permissions-Policy/identity-credentials-get','identity-credentials-get')}} {{Experimental_Inline}}
+  - : Controls whether the current document is allowed to use the [Federated Credential Management API (FedCM)](/en-US/docs/Web/API/FedCM_API), and more specifically the {{domxref("CredentialsContainer.get", "navigator.credentials.get()")}} method with an `identity` option. Where this policy forbids use of the API, the {{jsxref("Promise")}} returned by the `get()` call will reject with a `NotAllowedError` {{domxref("DOMException")}}.
+
 - {{httpheader('Permissions-Policy/idle-detection','idle-detection')}} {{Experimental_Inline}}
   - : Controls whether the current document is allowed to use the {{domxref("Idle Detection API", "Idle Detection API", "", "nocode")}} to detect when users are interacting with their devices, for example to report "available"/"away" status in chat applications.
 

From 6c0f076eb5586e8d072c049326188a33f041d9cc Mon Sep 17 00:00:00 2001
From: Chris Mills <chrisdavidmills@gmail.com>
Date: Tue, 7 Feb 2023 07:34:59 +0000
Subject: [PATCH 4/8] Making fixes for agektmr comments

---
 files/en-us/web/api/fedcm_api/index.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/files/en-us/web/api/fedcm_api/index.md b/files/en-us/web/api/fedcm_api/index.md
index 48e16106f57e8f8..972651da382637b 100644
--- a/files/en-us/web/api/fedcm_api/index.md
+++ b/files/en-us/web/api/fedcm_api/index.md
@@ -45,7 +45,7 @@ There is a potential privacy issue whereby an [IdP is able to discern whether a
 
 The well-known file must be served from the [eTLD+1](https://web.dev/same-site-same-origin/#site) of the IdP at `/.well-known/web-identity`.
 
-For example, if the IdP endpoints are served under `https://accounts.idp.example/`, they must serve a well-known file at `https://idp.example/.well-known/web-identity`. The well-known file's content should look have the following JSON structure:
+For example, if the IdP endpoints are served under `https://accounts.idp.example/`, they must serve a well-known file at `https://idp.example/.well-known/web-identity`. The well-known file's content should have the following JSON structure:
 
 ```json
 {

From 09e7c0a615b22e998950fd2141fa3e9b19c741e8 Mon Sep 17 00:00:00 2001
From: Chris Mills <chrisdavidmills@gmail.com>
Date: Tue, 7 Feb 2023 15:50:50 +0000
Subject: [PATCH 5/8] Update files/en-us/glossary/replay_attack/index.md

Co-authored-by: Jean-Yves Perrier <jypenator@gmail.com>
---
 files/en-us/glossary/replay_attack/index.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/files/en-us/glossary/replay_attack/index.md b/files/en-us/glossary/replay_attack/index.md
index 26d90d856b16bfa..ae8d0b23a0aad11 100644
--- a/files/en-us/glossary/replay_attack/index.md
+++ b/files/en-us/glossary/replay_attack/index.md
@@ -5,9 +5,9 @@ tags:
   - Security
 ---
 
-In web security, a _replay attack_ is when an attacker intercepts a previously-sent message and resends it at a later time to get the same credentials as the original message, potentially with a different payload or instruction.
+In web security, a _replay attack_ is when an attacker intercepts a previously-sent message and resends it later to get the same credentials as the original message, potentially with a different payload or instruction.
 
-Replay attacks can be prevented by including a unique, single-use identifier with each message that can be used by the receiver to verify the authenticity of the transmission. This can take the form of a session token or "number used only once" ("nonce").
+Replay attacks can be prevented by including a unique, single-use identifier with each message that the receiver can use to verify the authenticity of the transmission. This identifier can take the form of a session token or "number used only once" ("nonce").
 
 ## See also
 

From 3f3f78c93c30230ee93164568dc1e00457b80c95 Mon Sep 17 00:00:00 2001
From: Chris Mills <chrisdavidmills@gmail.com>
Date: Tue, 7 Feb 2023 15:51:37 +0000
Subject: [PATCH 6/8] Update files/en-us/web/api/fedcm_api/index.md

Co-authored-by: Jean-Yves Perrier <jypenator@gmail.com>
---
 files/en-us/web/api/fedcm_api/index.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/files/en-us/web/api/fedcm_api/index.md b/files/en-us/web/api/fedcm_api/index.md
index 972651da382637b..b824876b3f310fc 100644
--- a/files/en-us/web/api/fedcm_api/index.md
+++ b/files/en-us/web/api/fedcm_api/index.md
@@ -13,7 +13,7 @@ browser-compat:
 
 {{SeeCompatTable}}{{DefaultAPISidebar("FedCM API")}}
 
-The Federated Credential Management API (FedCM) API provides a standard mechanism for identity providers to enable identity federation services in a privacy-preserving way, without relying on third-party cookies and redirects, and a JavaScript API for sites that rely on those services for sign-in functionality to make use of them.
+The **Federated Credential Management API** (or _FedCM API_) provides a standard mechanism for identity providers to enable identity federation services in a privacy-preserving way without relying on third-party cookies and redirects, and a JavaScript API for sites that depend on those services for sign-in functionality to make use of them.
 
 ## FedCM concepts
 

From 00d7c821706ac697d808203e2670473b058fdcec Mon Sep 17 00:00:00 2001
From: Chris Mills <chrisdavidmills@gmail.com>
Date: Mon, 6 Mar 2023 07:17:24 +0000
Subject: [PATCH 7/8] Change Referer header references to to Origin

---
 files/en-us/web/api/fedcm_api/index.md | 39 +++++++++++++++-----------
 1 file changed, 22 insertions(+), 17 deletions(-)

diff --git a/files/en-us/web/api/fedcm_api/index.md b/files/en-us/web/api/fedcm_api/index.md
index b824876b3f310fc..a789ff7a9945c6c 100644
--- a/files/en-us/web/api/fedcm_api/index.md
+++ b/files/en-us/web/api/fedcm_api/index.md
@@ -69,10 +69,12 @@ The config file (hosted at `https://accounts.idp.example/config.json` in our exa
   "branding": {
     "background_color": "green",
     "color": "0xFFEEAA",
-    "icons": [{
-      "url": "https://idp.example/icon.ico",
-      "size": 25
-    }]
+    "icons": [
+      {
+        "url": "https://idp.example/icon.ico",
+        "size": 25
+      }
+    ]
   }
 }
 ```
@@ -136,7 +138,7 @@ Provides URLs pointing to the RP's metadata and terms of service pages, to be us
 ```json
 {
   "privacy_policy_url": "https://rp.example/privacy_policy.html",
-  "terms_of_service_url": "https://rp.example/terms_of_service.html",
+  "terms_of_service_url": "https://rp.example/terms_of_service.html"
 }
 ```
 
@@ -158,12 +160,14 @@ RPs can call {{domxref("CredentialsContainer.get", "navigator.credentials.get()"
 async function signIn() {
   const identityCredential = await navigator.credentials.get({
     identity: {
-      providers: [{
-        configURL: 'https://accounts.idp.example/config.json',
-        clientId: '********',
-        nonce: '******'
-      }]
-    }
+      providers: [
+        {
+          configURL: "https://accounts.idp.example/config.json",
+          clientId: "********",
+          nonce: "******",
+        },
+      ],
+    },
   });
 }
 ```
@@ -177,6 +181,7 @@ The browser requests the IdP config file and carries out the sign-in flow detail
 1. The RP invokes {{domxref("CredentialsContainer.get", "navigator.credentials.get()")}} to start off the sign-in flow.
 
 2. From the `configURL` provided in the `get()` call, the browser requests two files:
+
    1. The well-known file (`/.well-known/web-identity`), available from `/.well-known/web-identity` at the [eTLD+1](https://web.dev/same-site-same-origin/#site) of the `configURL`.
    2. The config file (`/config.json`), available at the `configURL`.
 
@@ -195,7 +200,7 @@ The browser requests the IdP config file and carries out the sign-in flow detail
 
 3. The IdP responds with the requested files. The config file URL is validated against the list of valid config URLs inside the well-known file.
 
-4. The browser makes a request to the `accounts_endpoint` inside the config file for the list of accounts that the user is currently signed in to on the IdP. This is a `GET` request with cookies, but without a `client_id` parameter or the {{httpheader("Referer")}} header. This effectively prevents the IdP from learning which RP the user is trying to sign in to.
+4. The browser makes a request to the `accounts_endpoint` inside the config file for the list of accounts that the user is currently signed in to on the IdP. This is a `GET` request with cookies, but without a `client_id` parameter or the {{httpheader("Origin")}} header. This effectively prevents the IdP from learning which RP the user is trying to sign in to.
 
    For example:
 
@@ -216,7 +221,7 @@ The browser requests the IdP config file and carries out the sign-in flow detail
    ```http
    GET /client_metadata.php?client_id=1234 HTTP/1.1
    Host: accounts.idp.example
-   Referer: https://rp.example/
+   Origin: https://rp.example/
    Accept: application/json
    Sec-Fetch-Dest: webidentity
    ```
@@ -232,7 +237,7 @@ The browser requests the IdP config file and carries out the sign-in flow detail
    ```http
    POST /assertion.php HTTP/1.1
    Host: accounts.idp.example
-   Referer: https://rp.example/
+   Origin: https://rp.example/
    Content-Type: application/x-www-form-urlencoded
    Cookie: 0x23223
    Sec-Fetch-Dest: webidentity
@@ -250,9 +255,9 @@ The browser requests the IdP config file and carries out the sign-in flow detail
    - `disclosure_text_shown`
      - : A string of "true" or "false" indicating whether the disclosure text was shown or not. The disclosure text is the information shown to the user (which can include the terms of service and privacy policy links, if provided) if the user is signed in to the IdP but doesn't have an account specifically on the current RP (in which case they'd need to choose to "Continue as..." their IdP identity and then create a corresponding account on the RP).
 
-10. The IdP checks that the account ID sent by the RP matches the ID for the account that is already signed in, and that the `Referer` matches the origin of the RP, which will have been registered in advance with the IdP. If everything looks good, it responds with the validation token.
+10. The IdP checks that the account ID sent by the RP matches the ID for the account that is already signed in, and that the `Origin` matches the origin of the RP, which will have been registered in advance with the IdP. If everything looks good, it responds with the validation token.
 
-  > **Note:** The origin of the RP will be registered with the IdP in a completely separate process when the RP first integrates with the IdP. This process will be specific to each IdP.
+> **Note:** The origin of the RP will be registered with the IdP in a completely separate process when the RP first integrates with the IdP. This process will be specific to each IdP.
 
 When the flow is complete, the RP validates the validation token. If validation is successful, the `get()` promise resolves with an {{domxref("IdentityCredential")}} object, which provides further RP functionality. Additionally, at this point the RP may register the user or let them sign in and start a new session.
 
@@ -267,7 +272,7 @@ The {{httpheader("Permissions-Policy/identity-credentials-get", "identity-creden
 Developers can explicitly grant permission for an {{htmlelement("iframe")}} to use FedCM via the `allow` attribute:
 
 ```html
-<iframe src="3rd-party.example" allow="identity-credentials-get"></iframe> 
+<iframe src="3rd-party.example" allow="identity-credentials-get"></iframe>
 ```
 
 The availability of FedCM within `<iframe>`s enables a couple of use cases:

From 3729ae028a57d3c49494d534375fe19628b5eb7a Mon Sep 17 00:00:00 2001
From: Chris Mills <chrisdavidmills@gmail.com>
Date: Wed, 22 Mar 2023 07:37:42 +0000
Subject: [PATCH 8/8] Making fixes for teoli2003 comments

---
 files/en-us/glossary/replay_attack/index.md      |  2 +-
 .../web/api/credentialscontainer/get/index.md    | 16 +++++++++-------
 files/en-us/web/api/federatedcredential/index.md |  2 +-
 files/en-us/web/api/identitycredential/index.md  | 16 +++++++++-------
 .../web/api/identitycredential/token/index.md    | 16 +++++++++-------
 5 files changed, 29 insertions(+), 23 deletions(-)

diff --git a/files/en-us/glossary/replay_attack/index.md b/files/en-us/glossary/replay_attack/index.md
index ae8d0b23a0aad11..a6a08897875859f 100644
--- a/files/en-us/glossary/replay_attack/index.md
+++ b/files/en-us/glossary/replay_attack/index.md
@@ -5,7 +5,7 @@ tags:
   - Security
 ---
 
-In web security, a _replay attack_ is when an attacker intercepts a previously-sent message and resends it later to get the same credentials as the original message, potentially with a different payload or instruction.
+In web security, a _replay attack_ happens when an attacker intercepts a previously-sent message and resends it later to get the same credentials as the original message, potentially with a different payload or instruction.
 
 Replay attacks can be prevented by including a unique, single-use identifier with each message that the receiver can use to verify the authenticity of the transmission. This identifier can take the form of a session token or "number used only once" ("nonce").
 
diff --git a/files/en-us/web/api/credentialscontainer/get/index.md b/files/en-us/web/api/credentialscontainer/get/index.md
index 72d123a52a566e4..ffbb9f8c15a3b06 100644
--- a/files/en-us/web/api/credentialscontainer/get/index.md
+++ b/files/en-us/web/api/credentialscontainer/get/index.md
@@ -113,17 +113,19 @@ Relying parties (RPs) can call `navigator.credentials.get()` with the `identity`
 async function signIn() {
   const identityCredential = await navigator.credentials.get({
     identity: {
-      providers: [{
-        configURL: 'https://accounts.idp.example/config.json',
-        clientId: '********',
-        nonce: '******'
-      }]
-    }
+      providers: [
+        {
+          configURL: "https://accounts.idp.example/config.json",
+          clientId: "********",
+          nonce: "******",
+        },
+      ],
+    },
   });
 }
 ```
 
-Check out [Federated Credential Management API (FedCM)](/en-US/docs/Web/API/FedCM_API#fedcm_sign-in_flow) for more details on how this works. This call will start off the sign-in flow described in [FedCM sign-in flow](http://localhost:5042/en-US/docs/Web/API/FedCM_API#fedcm_sign-in_flow).
+Check out [Federated Credential Management API (FedCM)](/en-US/docs/Web/API/FedCM_API) for more details on how this works. This call will start off the sign-in flow described in [FedCM sign-in flow](/en-US/docs/Web/API/FedCM_API#fedcm_sign-in_flow).
 
 ## Specifications
 
diff --git a/files/en-us/web/api/federatedcredential/index.md b/files/en-us/web/api/federatedcredential/index.md
index 29f08dbaa503c93..cd6e2bd327cd0cf 100644
--- a/files/en-us/web/api/federatedcredential/index.md
+++ b/files/en-us/web/api/federatedcredential/index.md
@@ -11,7 +11,7 @@ browser-compat: api.FederatedCredential
 
 The **`FederatedCredential`** interface of the [Credential Management API](/en-US/docs/Web/API/Credential_Management_API) provides information about credentials from a federated identity provider. A federated identity provider is an entity that a website trusts to correctly authenticate a user, and that provides an API for that purpose. [OpenID Connect](https://openid.net/developers/specs/) is an example of a federated identity provider framework.
 
-> **Note:** The newer [Federated Credential Management API (FedCM)](/en-US/docs/Web/API/FedCM_API) provides a more complete solution for handling identity federation in the browser, and uses the {{domxref("IdentityCredential")}} type.
+> **Note:** The [Federated Credential Management API (FedCM)](/en-US/docs/Web/API/FedCM_API) provides a more complete solution for handling identity federation in the browser, and uses the {{domxref("IdentityCredential")}} type.
 
 In browsers that support it, an instance of this interface may be passed in the `credential` member of the `init` object for global {{domxref('fetch()')}}.
 
diff --git a/files/en-us/web/api/identitycredential/index.md b/files/en-us/web/api/identitycredential/index.md
index 7c0179ee407791e..5a2e4289b64772f 100644
--- a/files/en-us/web/api/identitycredential/index.md
+++ b/files/en-us/web/api/identitycredential/index.md
@@ -32,19 +32,21 @@ Relying parties (RPs) can call `navigator.credentials.get()` with the `identity`
 async function signIn() {
   const identityCredential = await navigator.credentials.get({
     identity: {
-      providers: [{
-        configURL: 'https://accounts.idp.example/config.json',
-        clientId: '********',
-        nonce: '******'
-      }]
-    }
+      providers: [
+        {
+          configURL: "https://accounts.idp.example/config.json",
+          clientId: "********",
+          nonce: "******",
+        },
+      ],
+    },
   });
 }
 ```
 
 A successful {{domxref("CredentialsContainer.get", "navigator.credentials.get()")}} call that includes an `identity` option fulfills with an `IdentityCredential` instance.
 
-Check out [Federated Credential Management API (FedCM)](/en-US/docs/Web/API/FedCM_API#fedcm_sign-in_flow) for more details on how this works. This call will start off the sign-in flow described in [FedCM sign-in flow](http://localhost:5042/en-US/docs/Web/API/FedCM_API#fedcm_sign-in_flow).
+Check out [Federated Credential Management API (FedCM)](/en-US/docs/Web/API/FedCM_API) for more details on how this works. This call will start off the sign-in flow described in [FedCM sign-in flow](/en-US/docs/Web/API/FedCM_API#fedcm_sign-in_flow).
 
 ## Specifications
 
diff --git a/files/en-us/web/api/identitycredential/token/index.md b/files/en-us/web/api/identitycredential/token/index.md
index fcbb28268333051..56d095138464a0c 100644
--- a/files/en-us/web/api/identitycredential/token/index.md
+++ b/files/en-us/web/api/identitycredential/token/index.md
@@ -28,12 +28,14 @@ Relying parties (RPs) can call `navigator.credentials.get()` with the `identity`
 async function signIn() {
   const identityCredential = await navigator.credentials.get({
     identity: {
-      providers: [{
-        configURL: 'https://accounts.idp.example/config.json',
-        clientId: '********',
-        nonce: '******'
-      }]
-    }
+      providers: [
+        {
+          configURL: "https://accounts.idp.example/config.json",
+          clientId: "********",
+          nonce: "******",
+        },
+      ],
+    },
   });
 
   console.log(identityCredential.token);
@@ -42,7 +44,7 @@ async function signIn() {
 
 A successful {{domxref("CredentialsContainer.get", "navigator.credentials.get()")}} call that includes an `identity` option fulfills with an `IdentityCredential` instance, which can be used to access the token used to validate the sign-in.
 
-Check out [Federated Credential Management API (FedCM)](/en-US/docs/Web/API/FedCM_API#fedcm_sign-in_flow) for more details on how this works. This call will start off the sign-in flow described in [FedCM sign-in flow](http://localhost:5042/en-US/docs/Web/API/FedCM_API#fedcm_sign-in_flow).
+Check out [Federated Credential Management API (FedCM)](/en-US/docs/Web/API/FedCM_API) for more details on how this works. This call will start off the sign-in flow described in [FedCM sign-in flow](/en-US/docs/Web/API/FedCM_API#fedcm_sign-in_flow).
 
 ## Specifications