Intent to Experiment: Cross-Origin-Embedder-Policy: credentialless

[Arthur Sonzogni]

Contact emails

arthurs...@chromium.org, cl...@chromium.org, mk...@chromium.org

Explainer

https://github.com/mikewest/credentiallessness

Specification

https://htmlpreview.github.io/?https://github.com/mikewest/credentiallessness/blob/main/index.html

Design docs

https://github.com/mikewest/credentiallessness/
https://docs.google.com/document/d/1U1pDzS_WJpfkq6QqOeqgmXmba_I4tIbUR-5C1AHzI9o/edit#

Summary

Introduce Cross-Origin-Embedder-Policy: credentialless. This causes cross-origin no-cors requests to omit credentials (cookies, client certificates, etc). Similarly to COEP:require-corp, it can enable cross-origin isolation.

Blink component

Blink>SecurityFeature

Search tags

coep, credentialless, coop, crossoriginisolation, crossOriginisolated

TAG review

https://github.com/w3ctag/design-reviews/issues/582

TAG review status

Pending

Risks

Interoperability and Compatibility

This is an opt-in feature, so there are no compatibility risks. The main risk is that it fails to become an interoperable part of the web platform.

Gecko: Worth prototyping (https://github.com/mozilla/standards-positions/issues/539#issuecomment-867473836) modulo Private Network Access and CORB++ being sorted. Note that neither Private Network Access and CORB++ have shipped yet as of M93. Only CORB in M68.

WebKit: No signal (https://lists.webkit.org/pipermail/webkit-dev/2021-June/031898.html) No replies yet.

Web developers: Positive (https://github.com/WICG/proposals/issues/31#issuecomment-858822619) Google Earth & Zoom are positive.

Ergonomics

Similarly to the existing COEP:require-corp, it will also be often used in tandem with Cross-Origin-Opener-Policy: same-origin (COOP) to get access to the cross-origin isolated capability.

Activation

This is an HTTP header. Developers need to be able to configure their server. This is hard for websites hosted on servers they don't own, like github.io pages.

Goals for experimentation

1. Is it useful on its own, despite the <iframe> continuing to be blocked? Is it worth shipping independently from anonymous iframe? 2. Does this address some of your problems deploying COEP, and cross origin isolation in general? 3. What problems remain, beyond the <iframe> constraint?

Experimental timeline

M93-95

Reason this experiment is being extended

N/A

Ongoing technical constraints

Debuggability

Similar to COEP:require-corp: 1. Display COEP policy: Devtool > Application > Frames > top > Security & Isolation > Cross-Origin Embedder Policy. 2. Devtool issues: https://source.chromium.org/search?q=file:devtools-frontend%2Fsrc%2Ffront_end%2Fmodels%2Fissues_manager%2Fdescriptions%2FCoep*&ss=chromium

Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, Chrome OS, Android, and Android WebView)?

Yes

Consistency of the web platform is important.

Is this feature fully tested by web-platform-tests?

Yes

Flag name

chrome://flags/#cross-origin-embedder-policy-credentialless

Tracking bug

https://crbug.com/1175099

Launch bug

https://bugs.chromium.org/p/chromium/issues/detail?id=1218896

Measurement

https://chromestatus.com/metrics/feature/timeline/popularity/3881

Link to entry on the Chrome Platform Status

https://chromestatus.com/feature/4918234241302528

Links to previous Intent discussions

Intent to prototype: https://groups.google.com/a/chromium.org/g/blink-dev/c/DOtU6R4TuAY/m/kPbID-LAAQAJ

This intent message was generated by Chrome Platform Status.

[Yoav Weiss]

LGTM to experiment M93-95

Those are all excellent questions! Can't wait for the answers :)

 

--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAH7Q68UT2B1rK8qoDNxhYXqwnnpY1T7Wd%2BmWR5Q9wAOYEGNTHw%40mail.gmail.com.