Introduce Cross-Origin-Embedder-Policy: credentialless. This causes cross-origin no-cors requests to omit credentials (cookies, client certificates, etc). Similarly to COEP:require-corp, it can enable cross-origin isolation.
Motivation
Sites that wish to continue using SharedArrayBuffer must opt-into cross-origin isolation. Today, COEP: require-corp exists, and is used to enable cross-origin isolation. It is functional and solid, but turns out to be difficult to deploy at scale, as it requires all subresources to explicitly opt-in. This is fine for some sites, but creates dependency problems for sites that gather content from users (Google Earth, social media generally, forums, etc). With COEP: credentialless, we want to find a robust-enough protection against accidental cross-process leakage, without requiring an explicit opt-in from every subresource.
Specification
Status in Chromium
Origin trial (tracking bug) in:
- Chrome for desktop release 93
- Chrome for Android release 93
- Android WebView release 93
Consensus & Standardization
- Worth prototyping
- N/A
- No signal
- Positive
Owners
Intent to Prototype url
Intent to Prototype threadSearch tags
coep, credentialless, coop, crossoriginisolation, crossOriginisolated,Last updated on 2021-07-29