spec: Specify select account flow with custom ui#5788
Conversation
| │ | ||
| │ User clicks "Continue" (selects account at index N) | ||
| │ ↓ | ||
| ├─▶ GET /api/v1/select_account?x_ref=...&x_account_index=N |
There was a problem hiding this comment.
We've discussed about the possibility of changing this to a POST request, but did not find a good way. The restriction is from the SameSite=Lax cookie which is not readable by POST request.
Send the cookie only for requests originating from the same site that set the cookie, and for cross-site requests that meet both of the following criteria:
The request is a top-level navigation: this essentially means that the request causes the URL shown in the browser's address bar to change.
This would exclude, for example, requests made using the fetch() API, or requests for subresources from
or <script> elements, or navigations inside <iframe> elements.
It would include requests made when the user clicks a link in the top-level browsing context from one site to another, or an assignment to document.location, or a
submission.
2 participants
ref DEV-3670