Hi, team.

From the aspect of IdP, we found that if any RP hosts the implementation of https://fedcm-rp-demo.glitch.me/ to another domain, they can receive the IdToken for https://fedcm-rp-demo.glitch.me/ from the IdP even though it's not hosted by the actual RP.
(We found this 2 weeks ago and reported it to @agektmr )

I understand that the current implementation on https://fedcm-rp-demo.glitch.me/ has already solved this issue by checking the referrer of RP in IdP, but it's not written in the FedCM specifications.

I think it'd be the mandatory thing all IdPs using FedCM have to do. Do you have a plan to write it in the specs?

(BTW, the instruction of checking referrer was written in https://developer.chrome.com/blog/fedcm-origin-trial/ as "an important security information" just recently)

Maybe this topic is related to #114