If an RP page has an XSS risk, the attacker can execute navigator.credentials.get in its malicious code, and the attacker can obtain the token. At this time, the attacker can log in to all RPs under this IdP, which is a high risk.

Some SSO solutions solve this problem by redirecting to a third-party website and implanting cookies through browser redirection. There is basically no js code execution, so it is very easy to solve the problem that a certain RP has an xss risk and can directly attack and obtain the token.

For us FedCM, how to solve this problem? I see that there is a nonce parameter, but nonce also has the risk of being forged. So, I would like to ask if we have any suggestions, or any suggestions for the implementation of nonce, to avoid such XSS problems (How does the IdP ensure that the RP's identity is credible? Otherwise, token hijacking may occur.)