Introduce Cross-Origin-Embedder-Policy: credentialless. This causes cross-origin no-cors requests to omit credentials (cookies, client certificates, etc). Similarly to COEP:require-corp, it can enable cross-origin isolation.
Compatibility risk: This is an opt-in new feature, so there are no compatibility risks. Interoperability risk: New feature. Risk is failing to become an interoperable part of the web platform.
Similarly to the existing COEP:require-corp, it will also be often used in tandem with Cross-Origin-Opener-Policy: same-origin (COOP)
This is an HTTP header. Developers need to be able to configure their server. This is hard for them when hosting their page on servers they don't really own, like https://github.io pages.
The same devtool features as for COEP:require-corp: 1. Display COEP policy: Devtool > Application > Frames > top > Security & Isolation > Cross-Origin Embedder Policy. 2. Devtool issues: https://source.chromium.org/search?q=file:devtools-frontend%2Fsrc%2Ffront_end%2Fmodels%2Fissues_manager%2Fdescriptions%2FCoep*&ss=chromium
OriginTrial desktop last | 95 |
OriginTrial desktop first | 93 |
DevTrial on desktop | 93 |
OriginTrial android last | 95 |
OriginTrial android first | 93 |
DevTrial on android | 93 |
DevTrial on Webview | 93 |
No official replies yet. Safari is currently implementing COOP/COEP, but have no plan yet about COEP:credentialless variant: https://twitter.com/mikewest/status/1434878018191826948<
Web developers: Positive (https://github.com/WICG/proposals/issues/31#issuecomment-858822619)Google Earth, Twitter, Zoom, etc... are positive.Ergonomics
Similarly to the existing COEP:require-corp, it will also be often used in tandem with Cross-Origin-Opener-Policy: same-origin (COOP)
Activation
This is an HTTP header. Developers need to be able to configure their server. This is hard for them when hosting their page on servers they don't really own, like https://github.io pages.
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAAzos5GX5UpU_8V5faX0KzvWG9y5FT8BvCDJ5LUQ929LWM3%3DPA%40mail.gmail.com.
> That makes sense, but maybe there's a way for us to combine this and the recent PNA intent and be more bold there only in the case of a COEP: credentialless embedder?That's an interesting idea! I think it's worth considering when PNA will have an implementation of preflight checks. For now, it doesn't and I would like to avoid tying two features together during a launch.
Moreover, this would still not bring better than the status-co for now, because the SAB OT remains.However, this is a nice subset to experiment/launch PNA earlier. Maybe we can be more aggressive here. The subset might be COEP:credentialless, COEP:X, COI.
This would require adding some metrics to understand exactly how many pages would be affected by PNA in every subset. I think we will add some metrics for M96 as well and make a decision based on that.
Contact emails
arthurs...@chromium.org, cl...@chromium.org, mk...@chromium.orgExplainer
https://github.com/WICG/credentiallessnessSpecification
https://wicg.github.io/credentiallessness/
--
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAM0wra8f4jkc_RtVBvjJpuz-0%2BiC7p8KKhBc--PuUQ3zjUbOgg%40mail.gmail.com.
LGTM2On Fri, Sep 10, 2021 at 9:57 AM Domenic Denicola <dom...@chromium.org> wrote:
On Fri, Sep 10, 2021 at 7:17 AM 'Arthur Sonzogni' via blink-dev <blin...@chromium.org> wrote:
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscribe@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAAzos5GX5UpU_8V5faX0KzvWG9y5FT8BvCDJ5LUQ929LWM3%3DPA%40mail.gmail.com.
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscribe@chromium.org.