Add the API: `self.crossOriginEmbedderPolicy` It reflects the environment's cross-origin-embedder-policy's value. The possible values are: 'unsafe-none', 'credentialless', and 'require-corp'.
Depending on the Cross-Origin-Embedder-Policy value, not every iframe/subresources can be loaded inside the document. If this reflection API is provided, 3rd party scripts can make better decisions. They can implement appropriate fallbacks. In particular, for trying Anonymous Iframe, Google DisplayAds, needs a way to know the COEP policy. The Ads's script could this way be able to decide in between inserting a normal or an anonymous iframe.
This is a new API. The main risk is that it fails to become an interoperable part of the web platform if other browsers do not implement it.
This is a read only attribute, constant for the whole lifetime of the environment. I don't expect difficulties using it. On web browser implementations not supporting it, it will return `undefined`.
It is already possible to deduce the value returned by the API, by making a no-cors `fetch` request toward a known cross-origin URL whose response depends on the request's cookies and omit the CORP headers. It is a bit costly, but theoretically polyfillable. As such, it should be a security/privacy no-op.
Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications?
None. COEP reflection is independent from the platform.
It was already exposed to devtool via Application > Frames > top > Security & Isolation > Cross-Origin Embedder Policy (COEP) Nothing new is needed/planned.
No milestones specified