Allow credentialless subresources with COEP #4919
Labels
addition/proposal
New features or enhancements
needs implementer interest
Moving the issue forward requires implementers to express interest
topic: cross-origin-embedder-policy
Issues and ideas around the new "require CORP for subresource requests and frames and etc" proposal
Branching from #4175:
Some -- probably most -- resources on the web are public, and their content is not sensitive in any way; however, a site which can embed them in a page is still blocked from reading their content, or knowing anything about the content at all, despite the origin server being in the position of being able to fetch the identical resource from its own location.
I'd like to use COEP to declare that certain subresources are public, having been fetched over the public internet (per CORS-1918), without any cookies/credentials attached.
It's not in the current proposal, but I could imagine something like
being used to force that mode. Third-party cookies would not be sent, even if they exist, and the content of the resource could potentially be made available to the embedder. The site would still send first-party cookies for those resources, but is essentially declaring that it does not want to embed any sensitive third-party content.
The text was updated successfully, but these errors were encountered: