Introduce Cross-Origin-Embedder-Policy: credentialless. This causes cross-origin no-cors requests to omit credentials (cookies, client certificates, etc). Similarly to COEP:require-corp, it can enable cross-origin isolation.
Sites that wish to continue using SharedArrayBuffer must opt-into cross-origin isolation. Today, COEP: require-corp exists, and is used to enable cross-origin isolation. It is functional and solid, but turns out to be difficult to deploy at scale, as it requires all subresources to explicitly opt-in. This is fine for some sites, but creates dependency problems for sites that gather content from users (Google Earth, social media generally, forums, etc). With COEP: credentialless, we want to find a robust-enough protection against accidental cross-process leakage, without requiring an explicit opt-in from every subresource.
Status in Chromium
Origin trial (tracking bug) in:
- Chrome for desktop release 93
- Chrome for Android release 93
- Android WebView release 93
Consensus & Standardization
Intent to Prototype urlIntent to Prototype thread
Search tagscoep, credentialless, coop, crossoriginisolation, crossOriginisolated,
Last updated on 2021-07-29