Introduce Cross-Origin-Embedder-Policy: credentialless. This causes cross-origin no-cors requests to omit credentials (cookies, client certificates, etc). Similarly to COEP:require-corp, it can enable cross-origin isolation.

Motivation

Sites that wish to continue using SharedArrayBuffer must opt-into cross-origin isolation. Today, COEP: require-corp exists, and is used to enable cross-origin isolation. It is functional and solid, but turns out to be difficult to deploy at scale, as it requires all subresources to explicitly opt-in. This is fine for some sites, but creates dependency problems for sites that gather content from users (Google Earth, social media generally, forums, etc). With COEP: credentialless, we want to find a robust-enough protection against accidental cross-process leakage, without requiring an explicit opt-in from every subresource.

Demo

• http://coep-credentialless.glitch.me/

Documentation

• https://github.com/WICG/credentiallessness
• https://docs.google.com/document/d/1U1pDzS_WJpfkq6QqOeqgmXmba_I4tIbUR-5C1AHzI9o/edit#

Specification

Specification link

Status: Specification being incubated in a Community Group

Status in Chromium

Blink components: Blink>SecurityFeature

Implementation status: Enabled by default (tracking bug)

Consensus & Standardization

• Firefox: Worth prototyping
• Edge: N/A
• Safari: No signal
• Web Developers: Positive

Owners

• arthursonzogni@chromium.org
• clamy@chromium.org
• mkwst@chromium.org

Intent to Prototype url

Search tags

Last updated on 2021-10-07