Introduce Cross-Origin-Embedder-Policy: credentialless. This causes cross-origin no-cors requests to omit credentials (cookies, client certificates, etc). Similarly to COEP:require-corp, it can enable cross-origin isolation.


Sites that wish to continue using SharedArrayBuffer must opt-into cross-origin isolation. Today, COEP: require-corp exists, and is used to enable cross-origin isolation. It is functional and solid, but turns out to be difficult to deploy at scale, as it requires all subresources to explicitly opt-in. This is fine for some sites, but creates dependency problems for sites that gather content from users (Google Earth, social media generally, forums, etc). With COEP: credentialless, we want to find a robust-enough protection against accidental cross-process leakage, without requiring an explicit opt-in from every subresource.




Specification link

Specification being incubated in a Community Group

Status in Chromium


Enabled by default (tracking bug)

Consensus & Standardization

After a feature ships in Chrome, the values listed here are not guaranteed to be up to date.


Intent to Prototype url

Intent to Prototype thread

Search tags

coep, credentialless, coop, crossoriginisolation, crossOriginisolated,

Last updated on 2021-10-07