From 692af52d6a39103fcd6ec6a4f7d64c1be431f62a Mon Sep 17 00:00:00 2001
From: Christian Biesinger <cbiesinger@chromium.org>
Date: Tue, 29 Oct 2024 14:28:29 -0400
Subject: [PATCH 1/3] Download profile pictures before filtering accounts

For privacy reasons, all pictures should be downloaded before
filtering the list according to provided login or domain
hints.
---
 spec/index.bs | 16 +++++++++-------
 1 file changed, 9 insertions(+), 7 deletions(-)

diff --git a/spec/index.bs b/spec/index.bs
index 9ee1e37f..14d746eb 100644
--- a/spec/index.bs
+++ b/spec/index.bs
@@ -846,6 +846,15 @@ the exception thrown.
     1. Assert: |accountsList| is not failure and the size of |accountsList| is not 0.
     1. [=Set the login status=] for the [=/origin=] of the
         {{IdentityProviderConfig/configURL}} to [=logged-in=].
+    1. For each |acc| in |accountsList|:
+        1. If |acc|["{{IdentityProviderAccount/picture}}"] is present, [=fetch the account picture=]
+            with |acc| and |globalObject|. If the [=user agent=] displays this picture to
+            the user at any point, it MUST reuse the result of this fetch instead of redownloading
+            the picture.
+
+        Note: We require downloading the pictures here before we potentially filter the account
+            list so that the identity provider cannot determine the provided hints based
+            on which fetches occured.
     1. If |provider|'s {{IdentityProviderRequestOptions/loginHint}} is not empty:
         1. For every |account| in |accountList|, remove |account| from |accountList| if |account|'s
             {{IdentityProviderAccount/login_hints}} does not [=list/contain=] |provider|'s
@@ -860,13 +869,6 @@ the exception thrown.
                 {{IdentityProviderAccount/domain_hints}} does not [=list/contain=] |provider|'s
                 {{IdentityProviderRequestOptions/domainHint}}.
         1. If |accountList| is now empty, go to the [=mismatch dialog step=].
-    1. For each |acc| in |accountsList|:
-        1. If |acc|["{{IdentityProviderAccount/picture}}"] is present, [=fetch the account picture=]
-            with |acc| and |globalObject|.
-
-        Note: The [=user agent=] may choose to show UI which does not initially require fetching the
-        account pictures. In these cases, the [=user agent=] may delay these fetches until they are
-        needed. Because errors from these fetches are ignored, they can happen in any order.
     1. Let |registeredAccount|, |numRegisteredAccounts| be null and 0, respectively.
     1. Let |account| be null.
     1. For each |acc| in |accountsList|:

From c6bb61fe6762fd0af513a07bdfc66742359767f6 Mon Sep 17 00:00:00 2001
From: Christian Biesinger <cbiesinger@chromium.org>
Date: Wed, 30 Oct 2024 14:57:57 -0400
Subject: [PATCH 2/3] spelling fix

---
 spec/index.bs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/spec/index.bs b/spec/index.bs
index 14d746eb..b7c0f247 100644
--- a/spec/index.bs
+++ b/spec/index.bs
@@ -854,7 +854,7 @@ the exception thrown.
 
         Note: We require downloading the pictures here before we potentially filter the account
             list so that the identity provider cannot determine the provided hints based
-            on which fetches occured.
+            on which fetches occurred.
     1. If |provider|'s {{IdentityProviderRequestOptions/loginHint}} is not empty:
         1. For every |account| in |accountList|, remove |account| from |accountList| if |account|'s
             {{IdentityProviderAccount/login_hints}} does not [=list/contain=] |provider|'s

From 5a623923d9bab5302f613f0d892f03a6a9e3e7c5 Mon Sep 17 00:00:00 2001
From: Christian Biesinger <cbiesinger@google.com>
Date: Wed, 30 Oct 2024 15:25:31 -0400
Subject: [PATCH 3/3] Fix comment from TallTed

Co-authored-by: Ted Thibodeau Jr <tthibodeau@openlinksw.com>
---
 spec/index.bs | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/spec/index.bs b/spec/index.bs
index b7c0f247..9cce6426 100644
--- a/spec/index.bs
+++ b/spec/index.bs
@@ -853,8 +853,8 @@ the exception thrown.
             the picture.
 
         Note: We require downloading the pictures here before we potentially filter the account
-            list so that the identity provider cannot determine the provided hints based
-            on which fetches occurred.
+            list so that the identity provider cannot determine what hints were provided
+            based on which fetches occurred.
     1. If |provider|'s {{IdentityProviderRequestOptions/loginHint}} is not empty:
         1. For every |account| in |accountList|, remove |account| from |accountList| if |account|'s
             {{IdentityProviderAccount/login_hints}} does not [=list/contain=] |provider|'s