Introduce Cross-Origin-Embedder-Policy: credentialless. This causes cross-origin no-cors requests to omit credentials (cookies, client certificates, etc). Similarly to COEP:require-corp, it can enable cross-origin isolation.
Motivation
Sites that wish to continue using SharedArrayBuffer must opt-into cross-origin isolation. Today, COEP: require-corp exists, and is used to enable cross-origin isolation. It is functional and solid, but turns out to be difficult to deploy at scale, as it requires all subresources to explicitly opt-in. This is fine for some sites, but creates dependency problems for sites that gather content from users (Google Earth, social media generally, forums, etc). With COEP: credentialless, we want to find a robust-enough protection against accidental cross-process leakage, without requiring an explicit opt-in from every subresource.
Status in Chromium
No active development (tracking bug)
Consensus & Standardization
- No signal
- No signal
- No signal
- No signals
Owners
Search tags
coep, credentialless, coop, crossoriginisolation, crossOriginisolated,Last updated on 2021-02-11
Comments
There are still major unknown, especially how to embed <iframe> inside a COEP:credentialless document. This will have to be resolved before proceeding further.