Change ID assertion endpoint mode to CORS (#547)

* Change ID assertion endpoint mode to CORS

* Update spec/index.bs

Co-authored-by: Ted Thibodeau Jr <[email protected]>

---------

Co-authored-by: Ted Thibodeau Jr <[email protected]>

spec/index.bs

@@ -1332,11 +1332,7 @@ To <dfn>fetch an identity assertion</dfn> given a {{USVString}}
         :  [=request/credentials mode=]
         :: "include"
         :  [=request/mode=]
-        :: "no-cors"
-
-        Issue: The spec is yet to be updated so that all <a spec=fetch for=/>requests</a> are created
-        with [=request/mode=] set to "user-agent-no-cors". See the relevant
-        [pull request](https://github.com/whatwg/fetch/pull/1533) for details.
+        :: "cors"
 
     1. Let |credential| be null.
     1. [=Fetch request=] with |request| and |globalObject|, and with <var ignore>processResponseConsumeBody</var>
@@ -2530,6 +2526,16 @@ credentialed requests it receives, which ensures that the request was initiated
 based on the FedCM API. A malicious actor cannot spam FedCM API calls, so this is sufficient
 protection for the new [=IDP=] endpoints.
 
+<!-- ============================================================ -->
+## CORS Header ## {#sec-cors-header}
+<!-- ============================================================ -->
+
+The FedCM API allows the response from the [=identity assertion endpoint=] to be shared to the
+[=RP=]. Because of this, we impose the requirement that the [=IDP=] explicitly consents to this
+sharing taking place by using the "cors" [=request/mode=] when fetching this endpoint. This also
+helps with servers that may accidentally ignore the <a http-header>Sec-Fetch-Dest</a>: they cannot
+ignore CORS, as without it the fetch will fail.
+
 <!-- ============================================================ -->
 ## Browser Surface Impersonation ## {#browser-surface-impersonation}
 <!-- ============================================================ -->