Add credentialless value to COEP

This defines Cross-Origin-Embedder-Policy: credentialless. The credentialless and require-corp values are similar. One or the other is a requirements for the cross-origin isolated capability. They differ mostly in terms of fetching. require-corp requires a Cross-Origin-Resource-Policy header for cross-origin opaque responses. credentialless doesn't, but omits credentials (cookies, client certificates, etc.) in cross-origin "no-cors" requests. See https://github.com/WICG/credentiallessness for additional context. Fetch PR: whatwg/fetch#1229. Tests: WPT html/cross-origin-embedder-policy/credentialless. Closes whatwg#6637.
dandclark · Dec 4, 2021 · ac8f1c0 · ac8f1c0
1 parent 5bb6fbc
commit ac8f1c0
Showing 1 changed file with 74 additions and 49 deletions.
diff --git a/source b/source
@@ -80244,9 +80244,8 @@ console.assert(iframeWindow.frameElement === null);
     data-x="http-cross-origin-opener-policy">Cross-Origin-Opener-Policy</span>: <span
     data-x="coop-same-origin">same-origin</span></code>`, and</p></li>
 
-    <li><p>every <span>Document</span> has `<code
-    data-x=""><span>Cross-Origin-Embedder-Policy</span>: <span
-    data-x="coep-require-corp">require-corp</span></code>`.</p></li>
+    <li><p>every <span>Document</span> has a `<code>Cross-Origin-Embedder-Policy</code>` header
+    whose value is <span>compatible with cross-origin isolation</span>.</p></li>
    </ul>
 
    <p>On some platforms, it is difficult to provide the security properties required to grant safe
@@ -83303,8 +83302,9 @@ interface <dfn interface>BarProp</dfn> {
     data-x="http-cross-origin-opener-policy">Cross-Origin-Opener-Policy</code>` header, but results
     from a combination of setting both `<code data-x=""><span
     data-x="http-cross-origin-opener-policy">Cross-Origin-Opener-Policy</span>: <span
-    data-x="coop-same-origin">same-origin</span></code>` and `<code
-    data-x=""><span>Cross-Origin-Embedder-Policy</span>: require-corp</code>` together.</p>
+    data-x="coop-same-origin">same-origin</span></code>` and a
+    `<code>Cross-Origin-Embedder-Policy</code>` header whose value is <span>compatible with
+    cross-origin isolation</span> together.<p>
    </dd>
   </dl>
 
@@ -83393,8 +83393,8 @@ interface <dfn interface>BarProp</dfn> {
        policy">obtaining a cross-origin embedder policy</span> from <var>response</var> and
        <var>reservedEnvironment</var>.</p></li>
 
-       <li><p>If <var>coep</var>'s <span data-x="embedder-policy-value">value</span> is "<code
-       data-x="coep-require-corp">require-corp</code>", then set <var>policy</var>'s <span
+       <li><p>If <var>coep</var>'s <span data-x="embedder-policy-value">value</span> is
+       <span>compatible with cross-origin isolation</span>, then set <var>policy</var>'s <span
        data-x="coop-struct-value">value</span> to "<code
        data-x="coop-same-origin-plus-COEP">same-origin-plus-COEP</code>".</p></li>
 
@@ -83435,10 +83435,10 @@ interface <dfn interface>BarProp</dfn> {
        <var>reservedEnvironment</var>.</p></li>
 
        <li>
-        <p>If <var>coep</var>'s <span data-x="embedder-policy-value">value</span> is "<code
-        data-x="coep-require-corp">require-corp</code>" or <var>coep</var>'s <span
-        data-x="embedder-policy-report-only-value">report-only value</span> is "<code
-        data-x="coep-require-corp">require-corp</code>", then set <var>policy</var>'s <span
+        <p>If <var>coep</var>'s <span data-x="embedder-policy-value">value</span> is
+        <span>compatible with cross-origin isolation</span> or <var>coep</var>'s <span
+        data-x="embedder-policy-report-only-value">report-only value</span> is <span>compatible with
+        cross-origin isolation</span>, then set <var>policy</var>'s <span
         data-x="coop-struct-report-only-value">report-only value</span> to "<code
         data-x="coop-same-origin-plus-COEP">same-origin-plus-COEP</code>".</p>
 
@@ -84451,8 +84451,8 @@ interface <dfn interface>BarProp</dfn> {
 
   <h3 id="coep">Cross-origin embedder policies</h3>
 
-  <p>An <dfn export>embedder policy value</dfn> controls the fetching of cross-origin resources
-  without explicit permission from resource owners. There are two such values:</p>
+  <p>An <dfn export>embedder policy value</dfn> is one of three strings that controls the fetching
+  of cross-origin resources without explicit permission from resource owners.</p>
 
   <dl>
    <dt>"<dfn data-x="coep-unsafe-none" export for="embedder policy value"><code
@@ -84466,8 +84466,34 @@ interface <dfn interface>BarProp</dfn> {
    <dd><p>When this value is used, fetching cross-origin resources requires the server's
    explicit permission through the <span>CORS protocol</span> or the
    `<code>Cross-Origin-Resource-Policy</code>` header.</p></dd>
+
+   <dt>"<dfn data-x="coep-credentialless" export for="embedder policy value"><code
+   data-x="">credentialless</code></dfn>"</dt>
+   <dd><p>When this value is used, fetching cross-origin no-CORS resources omits credentials. In
+   exchange, an explicit `<code>Cross-Origin-Resource-Policy</code>` header is not required. Other
+   requests sent with credentials require the server's explicit permission through the <span>CORS
+   protocol</span> or the `<code>Cross-Origin-Resource-Policy</code>` header.</p></dd>
   </dl>
 
+  <div class="warning">
+   <p>Before supporting "<code data-x="coep-credentialless">credentialless</code>", implementers are
+   strongly encouraged to support both:
+
+   <ul class="brief">
+    <li><a href="https://wicg.github.io/private-network-access/">Private Network Access</a></li>
+    <li><a href="https://github.com/annevk/orb">Opaque Response Blocking</a></li>
+   </ul>
+
+   <p>Otherwise, it would allow attackers to leverage the client's network position to read non
+   public resources, using the <span
+   data-x="concept-settings-object-cross-origin-isolated-capability">cross-origin isolated
+   capability</span>.</p>
+  </div>
+
+  <p>An <span>embedder policy value</span> is <dfn>compatible with cross-origin isolation</dfn> if
+  it is "<code data-x="coep-credentialless">credentialless</code>" or "<code
+  data-x="coep-require-corp">require-corp</code>".</p>
+
   <p>An <dfn export>embedder policy</dfn> consists of:</p>
 
   <ul>
@@ -84572,17 +84598,17 @@ interface <dfn interface>BarProp</dfn> {
    <var>response</var>'s <span data-x="concept-response-header-list">header list</span>.</p></li>
 
    <li>
-    <p>If <var>parsedItem</var> is non-null and <var>parsedItem</var>[0] is "<code
-    data-x="">require-corp</code>":</p>
+    <p>If <var>parsedItem</var> is non-null and <var>parsedItem</var>[0] is <span>compatible with
+    cross-origin isolation</span>:</p>
 
     <ol>
-     <li><p>Set <var>policy</var>'s <span data-x="embedder-policy-value">value</span> to "<code
-     data-x="coep-require-corp">require-corp</code>".</p></li>.
+     <li><p>Set <var>policy</var>'s <span data-x="embedder-policy-value">value</span> to
+     <var>parsedItem</var>[0].</p></li>
 
      <li><p>If <var>parsedItem</var>[1]["<code data-x="coep-report-to">report-to</code>"] <span
      data-x="map exists">exists</span>, then set <var>policy</var>'s <span
-     data-x="embedder-policy-reporting-endpoint">endpoint</span> to <var>parsedItem</var>[1]["<code
-     data-x="coep-report-to">report-to</code>"].</p></li>
+     data-x="embedder-policy-reporting-endpoint">endpoint</span> to
+     <var>parsedItem</var>[1]["<code data-x="coep-report-to">report-to</code>"].</p></li>
     </ol>
    </li>
 
@@ -84592,17 +84618,17 @@ interface <dfn interface>BarProp</dfn> {
    list</span>.</p></li>
 
    <li>
-    <p>If <var>parsedItem</var> is non-null and <var>parsedItem</var>[0] is "<code
-    data-x="">require-corp</code>":</p>
+    <p>If <var>parsedItem</var> is non-null and <var>parsedItem</var>[0] is <span>compatible with
+    cross-origin isolation</span>:</p>
 
     <ol>
-     <li><p>Set <var>policy</var>'s <span data-x="embedder-policy-report-only-value">report-only
-     value</span> to "<code data-x="coep-require-corp">require-corp</code>".</p></li>.
+     <li><p>Set <var>policy</var>'s <span
+     data-x="embedder-policy-report-only-value">value</span> to <var>parsedItem</var>[0].</p></li>
 
      <li><p>If <var>parsedItem</var>[1]["<code data-x="coep-report-to">report-to</code>"] <span
-     data-x="map exists">exists</span>,  then set <var>policy</var>'s <span
-     data-x="embedder-policy-report-only-reporting-endpoint">report-only reporting endpoint</span>
-     to <var>parsedItem</var>[1]["<code data-x="coep-report-to">report-to</code>"].</p></li>
+     data-x="map exists">exists</span>, then set <var>policy</var>'s <span
+     data-x="embedder-policy-report-only-reporting-endpoint">endpoint</span> to
+     <var>parsedItem</var>[1]["<code data-x="coep-report-to">report-to</code>"].</p></li>
     </ol>
    </li>
 
@@ -84625,19 +84651,19 @@ interface <dfn interface>BarProp</dfn> {
    data-x="policy-container-embedder-policy">embedder policy</span>.</p></li>
 
    <li><p>If <var>parentPolicy</var>'s <span data-x="embedder-policy-report-only-value">report-only
-   value</span> is "<code data-x="coep-require-corp">require-corp</code>" and
-   <var>responsePolicy</var>'s <span data-x="embedder-policy-value">value</span> is "<code
-   data-x="coep-unsafe-none">unsafe-none</code>", then <span>queue a cross-origin embedder policy
-   inheritance violation</span> with <var>response</var>, "<code data-x="">navigation</code>",
-   <var>parentPolicy</var>'s <span data-x="embedder-policy-report-only-reporting-endpoint">report
-   only reporting endpoint</span>, "<code data-x="">reporting</code>", and <var>target</var>'s <span
+   value</span> is <span>compatible with cross-origin isolation</span> and
+   <var>responsePolicy</var>'s <span data-x="embedder-policy-value">value</span> is not, then
+   <span>queue a cross-origin embedder policy inheritance violation</span> with <var>response</var>,
+   "<code data-x="">navigation</code>", <var>parentPolicy</var>'s <span
+   data-x="embedder-policy-report-only-reporting-endpoint">report only reporting endpoint</span>,
+   "<code data-x="">reporting</code>", and <var>target</var>'s <span
    data-x="bc-container-document">container document</span>'s <span>relevant settings
    object</span>.</p></li>
 
-   <li><p>If <var>parentPolicy</var>'s <span data-x="embedder-policy-value">value</span> is "<code
-   data-x="coep-unsafe-none">unsafe-none</code>" or <var>responsePolicy</var>'s <span
-   data-x="embedder-policy-value">value</span> is "<code
-   data-x="coep-require-corp">require-corp</code>", then return true.</p></li>
+   <li><p>If <var>parentPolicy</var>'s <span data-x="embedder-policy-value">value</span> is not
+   <span>compatible with cross-origin isolation</span> or <var>responsePolicy</var>'s <span
+   data-x="embedder-policy-value">value</span> is <span>compatible with cross-origin
+   isolation</span>, then return true.</p></li>
 
    <li><p><span>Queue a cross-origin embedder policy inheritance violation</span> with
    <var>response</var>, "<code data-x="">navigation</code>", <var>parentPolicy</var>'s <span
@@ -84665,18 +84691,17 @@ interface <dfn interface>BarProp</dfn> {
    data-x="policy-container-embedder-policy">embedder policy</span>.
 
    <li><p>If <var>ownerPolicy</var>'s <span data-x="embedder-policy-report-only-value">report-only
-   value</span> is "<code data-x="coep-require-corp">require-corp</code>" and <var>policy</var>'s
-   <span data-x="embedder-policy-value">value</span> is "<code
-   data-x="coep-unsafe-none">unsafe-none</code>", then <span>queue a cross-origin embedder policy
-   inheritance violation</span> with <var>response</var>, "<code data-x="">worker
+   value</span> is <span>compatible with cross-origin isolation</span> and <var>policy</var>'s
+   <span data-x="embedder-policy-value">value</span> is not, then <span>queue a cross-origin
+   embedder policy inheritance violation</span> with <var>response</var>, "<code data-x="">worker
    initialization</code>", <var>owner's policy</var>'s <span
    data-x="embedder-policy-report-only-reporting-endpoint">report only reporting endpoint</span>,
    "<code data-x="">reporting</code>", and <var>owner</var>.</p></li>
 
-   <li><p>If <var>ownerPolicy</var>'s <span data-x="embedder-policy-value">value</span> is "<code
-   data-x="coep-unsafe-none">unsafe-none</code>" or <var>policy</var>'s <span
-   data-x="embedder-policy-value">value</span> is "<code
-   data-x="coep-require-corp">require-corp</code>", then return true.</p></li>
+   <li><p>If <var>ownerPolicy</var>'s <span data-x="embedder-policy-value">value</span> is not
+   <span>compatible with cross-origin isolation</span> or <var>policy</var>'s <span
+   data-x="embedder-policy-value">value</span> is <span>compatible with cross-origin
+   isolation</span>, then return true.</p></li>
 
    <li><p><span>Queue a cross-origin embedder policy inheritance violation</span> with
    <var>response</var>, "<code data-x="">worker initialization</code>", <var>owner's policy</var>'s
@@ -102561,11 +102586,11 @@ interface <dfn interface>SharedWorkerGlobalScope</dfn> : <span>WorkerGlobalScope
 
      <li>
       <p>If <var>worker global scope</var>'s <span
-      data-x="concept-WorkerGlobalScope-embedder-policy">embedder policy</span> is "<code
-      data-x="coep-require-corp">require-corp</code>" and <var>is shared</var> is true, then set
-      <var>agent</var>'s <span>agent cluster</span>'s <span
-      data-x="agent-cluster-cross-origin-isolation">cross-origin isolation mode</span> to "<code
-      data-x="cross-origin-isolation-logical">logical</code>" or "<code
+      data-x="concept-WorkerGlobalScope-embedder-policy">embedder policy</span>'s <span
+      data-x="embedder-policy-value">value</span> is <span>compatible with cross-origin
+      isolation</span> and <var>is shared</var> is true, then set <var>agent</var>'s <span>agent
+      cluster</span>'s <span data-x="agent-cluster-cross-origin-isolation">cross-origin isolation
+      mode</span> to "<code data-x="cross-origin-isolation-logical">logical</code>" or "<code
       data-x="cross-origin-isolation-concrete">concrete</code>". The one chosen is
       <span>implementation-defined</span>.</p>