Cross-Origin-Embedder-Policy: credentialless

Feature: Cross-Origin-Embedder-Policy: credentialless

Introduce Cross-Origin-Embedder-Policy: credentialless. This causes cross-origin no-cors requests to omit credentials (cookies, client certificates, etc). Similarly to COEP:require-corp, it can enable cross-origin isolation.

Motivation

Sites that wish to continue using SharedArrayBuffer must opt-into cross-origin isolation. Today, COEP: require-corp exists, and is used to enable cross-origin isolation. It is functional and solid, but turns out to be difficult to deploy at scale, as it requires all subresources to explicitly opt-in. This is fine for some sites, but creates dependency problems for sites that gather content from users (Google Earth, social media generally, forums, etc). With COEP: credentialless, we want to find a robust-enough protection against accidental cross-process leakage, without requiring an explicit opt-in from every subresource.

Demo

http://coep-credentialless.glitch.me/

Documentation

Specification

Specification link

Status: Specification being incubated in a Community Group

Status in Chromium

Blink components: Blink>SecurityFeature

Implementation status: Enabled by default (tracking bug)

Consensus & Standardization

After a feature ships in Chrome, the values listed here are not guaranteed to be up to date.

Firefox: Worth prototyping
Safari: No signal
Web Developers: Positive

Owners

Intent to Prototype url

Intent to Prototype thread

Search tags

coep, credentialless, coop, crossoriginisolation, crossOriginisolated,

Last updated on 2022-01-04