Cross-Origin-Embedder-Policy: credentialless #6637

ArthurSonzogni · 2021-04-30T12:33:31Z

Specify the behavior of Cross-Origin-Embedder-Policy: cors-or-credentialless,
Originally described in: https://github.com/mikewest/credentiallessness

cors-or-credentialless and require-corp are similar. One or the other is a requirements for the window.crossOriginIsolated capability. They both share the same set of checks.
They differ mostly in the fetch specification. require-corp requires a CORP header for cross-origin no-cors responses. cors-or-credentialless doesn't, but omits credentials (Cookies, clients certificates, etc...) in exchange.

I am opening this bug to reference several PR against the HTML, Fetch and ServiceWorker spec. So they can be discussed more widely.

Some tentative tests have been written into the wpt repository:
https://wpt.fyi/results/html/cross-origin-embedder-policy/credentialless/cors-or-credentialless?label=master&label=experimental&aligned&q=cors-or-credentialless

The text was updated successfully, but these errors were encountered:

annevk · 2021-04-30T12:41:29Z

Why would cors be part of the name?

Also, I still stand by w3ctag/design-reviews#582 (comment).

annevk · 2021-04-30T13:11:03Z

Also had a question about how this works for navigations. It seems to me that if the parent document has cors-or-credentialless, the child can have either that or require-corp. But if the parent has require-corp, the child shouldn't be allowed to have cors-or-credentialless perhaps as that's weaker? (Especially once most things cross-origin are without credentials anyway.)

ArthurSonzogni · 2021-04-30T13:31:38Z

Thanks @annevk!

Why would cors be part of the name?

Either the request is sent via CORS with credentials, and you must get explicit opt-in from the cross-origin server. Or it is sent in no-cors mode without credentials => cors-or-credentialless.
What do you think?

Also, I still stand by w3ctag/design-reviews#582 (comment).

The main issues we had was:

Defining a solution for <iframe>. @camillelamy is preparing an explainer about this to share. Maybe next week.
Private Network Access is needed. Yes this is a required dependency.
https://github.com/annevk/orb is needed. I agree.

Also had a question about how this works for navigations. It seems to me that if the parent document has cors-or-credentialless, the child can have either that or require-corp. But if the parent has require-corp, the child shouldn't be allowed to have cors-or-credentialless perhaps as that's weaker? (Especially once most things cross-origin are without credentials anyway.)

For now, the HTML spec PR and tentative test puts require-corp and cors-or-credentialless at the same level. One can embed the other and vice-versa. I initially thought require-corp couldn't embed cors-or-credentialless, because I felt one was weaker than than other. However, I couldn't really tell what was the threat this would protect us from. If you can find any potential reason to restrict this, feel free to share.

annevk · 2021-05-03T06:42:49Z

require-corp also offers CORS as alternative without explicitly mentioning it. So I think it would be nicer to be consistent with that, naming-wise.

I think require-corp is stricter as there are less resources it would end up embedding and there's a class of IP-authenticated resources we know credentialless cannot protect. However, like you, I cannot come up with a credible threat. (I'm a bit surprised that above you say there is no solution for iframe yet. It seems that is somewhat critical and also relevant to this issue.)

ArthurSonzogni · 2021-05-03T08:37:38Z

require-corp also offers CORS as alternative without explicitly mentioning it. So I think it would be nicer to be consistent with that, naming-wise.

I understand this argument. cors-or-credentialless would be easier to understand for users, but this would have required require-corp to be for instance cors-or-corp, for consistency.
I don't have a strong opinion for one or the other. If others have different opinions, free to discuss this here or open a different issue. Otherwise, I guess we can switch toward COEP:credentialless.

I'm a bit surprised that above you say there is no solution for iframe yet. It seems that is somewhat critical and also relevant to this issue.

COEP:credentialless, doesn't relax <iframe> over the status co. They are still blocked if they don't use require-corp or credentialless.

@camillelamy will soon release an explainer for a potential solution to the deployment of <iframe> you don't control. The way it is built make it independent of COEP:credentialless.

Specify the behavior of `Cross-Origin-Embedder-Policy: cors-or-credentialless`, Originally described in: https://github.com/mikewest/credentiallessness `cors-or-credentialless` and `require-corp` are similar. One or the other is a requirements for the `window.crossOriginIsolated` capability. They differ mostly in the fetch specification. `require-corp` requires a CORP header for cross-origin no-cors responses. `cors-or-credentialless` doesn't, but omits credentials (Cookies, clients certificates, etc...) in no-cors cross-origin requests. * HTML (whatwg/html#6638) * Define how to parse the `cors-or-credentialless` value. * From the HTML spec point of view, `cors-or-credentialless` and `require-corp` are equivalent. They have been grouped into `compatible with crossOriginIsolation` and the HTML spec rewritten to use this concept. * Fetch: (This PR) * Define "Cross-Origin-Embedder-Policy allows credentials". * Omit credentials for no-cors, cross-origin, COEP:credentialless requests. * Check CORP for navigational COEP:credentialless response. * ServiceWorker: XXX * Integration with `Cache.matchAll `algorithm. * XXX See: whatwg/html#6637 ---- - [ ] At least two implementers are interested (and none opposed): * Chrome: https://chromestatus.com/feature/4918234241302528#details * Firefox: XXX * Safari: XXX - [X] [Tests](https://github.com/web-platform-tests/wpt) are written and can be reviewed and commented upon at: * https://wpt.fyi/results/html/cross-origin-embedder-policy/credentialless/cors-or-credentialless - [ ] [Implementation bugs](https://github.com/whatwg/meta/blob/main/MAINTAINERS.md#handling-pull-requests) are filed: * Chrome: https://crbug.com/1175099 * Firefox: XXX * Safari: XXX (See [WHATWG Working Mode: Changes](https://whatwg.org/working-mode#changes) for more details.) ---- See: whatwg/html#6637

(Draft) Originally described in: https://github.com/mikewest/credentiallessness `credentialless` and `require-corp` are similar. One or the other is a requirements for the `window.crossOriginIsolated` capability. They differ mostly in the fetch specification. `require-corp` requires a CORP header for cross-origin no-cors responses. `credentialless` doesn't, but omits credentials (Cookies, clients certificates, etc...) in no-cors cross-origin requests. * HTML (whatwg/html#6638) * Define how to parse the `credentialless` value. * From the HTML spec point of view, `credentialless` and `require-corp` are equivalent. They have been grouped into `compatible with crossOriginIsolation` and the HTML spec rewritten to use this concept. * Fetch: (This PR) * Define "Cross-Origin-Embedder-Policy allows credentials". * Omit credentials for no-cors, cross-origin, COEP:credentialless requests. * Check CORP for navigational COEP:credentialless response. * ServiceWorker: XXX * Integration with `Cache.matchAll `algorithm. * XXX See: whatwg/html#6637 ---- - [ ] At least two implementers are interested (and none opposed): * Chrome: https://chromestatus.com/feature/4918234241302528#details * Firefox: XXX * Safari: XXX - [X] [Tests](https://github.com/web-platform-tests/wpt) are written and can be reviewed and commented upon at: * https://wpt.fyi/results/html/cross-origin-embedder-policy/credentialless/credentialless - [ ] [Implementation bugs](https://github.com/whatwg/meta/blob/main/MAINTAINERS.md#handling-pull-requests) are filed: * Chrome: https://crbug.com/1175099 * Firefox: XXX * Safari: XXX (See [WHATWG Working Mode: Changes](https://whatwg.org/working-mode#changes) for more details.) ---- See: whatwg/html#6637

This was discussed here: whatwg/html#6637 (comment) This patch renames "cors-or-credentialless" into "credentialless". The WPT test directory: - html/cross-origin-embedder-policy/credentialless/cors-or-credentialess/ - html/cross-origin-embedder-policy/credentialless/full-credentialless/ are renamed: - html/cross-origin-embedder-policy/cors-or-credentialess/ - html/cross-origin-embedder-policy/anonymous-iframe/ Bug:1175099 Change-Id: Iba052a2b3fbf4b45607c48807622d5ced202d583

camillelamy · 2021-05-07T12:45:35Z

So for iframes, we propose a separate solution via an iframe attribute. I have put together an explainer detailing the solution. This is separate from COEP: credentialless. We envision COEP: credentialless as an easy way to deploy COEP on first party frames that embed a lot of unpersonalized cross-origin subresources (e.g. images from a CDN).

This was discussed here: whatwg/html#6637 (comment) This patch renames "cors-or-credentialless" into "credentialless". The WPT test directory: - html/cross-origin-embedder-policy/credentialless/cors-or-credentialess/ - html/cross-origin-embedder-policy/credentialless/full-credentialless/ are renamed: - html/cross-origin-embedder-policy/cors-or-credentialess/ - html/cross-origin-embedder-policy/anonymous-iframe/ Bug: 1175099 Change-Id: Iba052a2b3fbf4b45607c48807622d5ced202d583 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2867588 Commit-Queue: Arthur Sonzogni <arthursonzogni@chromium.org> Reviewed-by: Camille Lamy <clamy@chromium.org> Reviewed-by: Kinuko Yasuda <kinuko@chromium.org> Owners-Override: Kinuko Yasuda <kinuko@chromium.org> Cr-Commit-Position: refs/heads/master@{#880359}

This was discussed here: whatwg/html#6637 (comment) This patch renames "cors-or-credentialless" into "credentialless". The WPT test directory: - html/cross-origin-embedder-policy/credentialless/cors-or-credentialess/ - html/cross-origin-embedder-policy/credentialless/full-credentialless/ are renamed: - html/cross-origin-embedder-policy/cors-or-credentialess/ - html/cross-origin-embedder-policy/anonymous-iframe/ Bug: 1175099 Change-Id: Iba052a2b3fbf4b45607c48807622d5ced202d583 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2867588 Commit-Queue: Arthur Sonzogni <arthursonzogni@chromium.org> Reviewed-by: Camille Lamy <clamy@chromium.org> Reviewed-by: Kinuko Yasuda <kinuko@chromium.org> Owners-Override: Kinuko Yasuda <kinuko@chromium.org> Cr-Commit-Position: refs/heads/master@{#880359}

…redentialless}, a=testonly Automatic update from web-platform-tests Rename COEP:{cors-or-credentialless => credentialless} This was discussed here: whatwg/html#6637 (comment) This patch renames "cors-or-credentialless" into "credentialless". The WPT test directory: - html/cross-origin-embedder-policy/credentialless/cors-or-credentialess/ - html/cross-origin-embedder-policy/credentialless/full-credentialless/ are renamed: - html/cross-origin-embedder-policy/cors-or-credentialess/ - html/cross-origin-embedder-policy/anonymous-iframe/ Bug: 1175099 Change-Id: Iba052a2b3fbf4b45607c48807622d5ced202d583 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2867588 Commit-Queue: Arthur Sonzogni <arthursonzogni@chromium.org> Reviewed-by: Camille Lamy <clamy@chromium.org> Reviewed-by: Kinuko Yasuda <kinuko@chromium.org> Owners-Override: Kinuko Yasuda <kinuko@chromium.org> Cr-Commit-Position: refs/heads/master@{#880359} -- wpt-commits: 27ac2ec45f72f4785951cf3e2b9302b740f6372e wpt-pr: 28838

(Draft) Originally described in: https://github.com/mikewest/credentiallessness `credentialless` and `require-corp` are similar. One or the other is a requirements for the `window.crossOriginIsolated` capability. They differ mostly in the fetch specification. `require-corp` requires a CORP header for cross-origin no-cors responses. `credentialless` doesn't, but omits credentials (Cookies, clients certificates, etc...) in no-cors cross-origin requests. * HTML (whatwg/html#6638) * Define how to parse the `credentialless` value. * From the HTML spec point of view, `credentialless` and `require-corp` are equivalent. They have been grouped into `compatible with crossOriginIsolation` and the HTML spec rewritten to use this concept. * Fetch: (This PR) * Define "Cross-Origin-Embedder-Policy allows credentials". * Omit credentials for no-cors, cross-origin, COEP:credentialless requests. * Check CORP for navigational COEP:credentialless response. * ServiceWorker: XXX * Integration with `Cache.matchAll `algorithm. * XXX See: whatwg/html#6637 ---- - [ ] At least two implementers are interested (and none opposed): * Chrome: https://chromestatus.com/feature/4918234241302528#details * Firefox: XXX * Safari: XXX - [X] [Tests](https://github.com/web-platform-tests/wpt) are written and can be reviewed and commented upon at: * https://wpt.fyi/results/html/cross-origin-embedder-policy/credentialless/credentialless - [ ] [Implementation bugs](https://github.com/whatwg/meta/blob/main/MAINTAINERS.md#handling-pull-requests) are filed: * Chrome: https://crbug.com/1175099 * Firefox: XXX * Safari: XXX (See [WHATWG Working Mode: Changes](https://whatwg.org/working-mode#changes) for more details.) ---- See: whatwg/html#6637

Define COEP:credentialless Originally described in: https://github.com/mikewest/credentiallessness `credentialless` and `require-corp` are similar. One or the other is a requirements for the `window.crossOriginIsolated` capability. They differ mostly in the fetch specification. `require-corp` requires a CORP header for cross-origin no-cors responses. `credentialless` doesn't, but omits credentials (Cookies, clients certificates, etc...) in the request. * HTML (whatwg#6638) * Define how to parse the `credentialless` value. * From the HTML spec point of view, `credentialless` and `require-corp` are equivalent. They have been grouped into `compatible with cross-origin isolation` and the HTML spec rewritten to use this concept. * Fetch: (whatwg/fetch#1229) * Define `Cross-Origin-Embedder-Policy allows credentials` algorithm. It omit credentials for no-cors, cross-origin, COEP:credentialless requests. * Define `response's` `request-include-credentials` flag. * In the `Cross-Origin-Resource-Policy check`, if `embedderPolicy` is `credentialless`, require CORP for navigational responses, and opaque responses with `request-include-credentials`. See: whatwg#6637 ---- - [ ] At least two implementers are interested (and none opposed): * Chrome: https://chromestatus.com/feature/4918234241302528#details * Firefox: mozilla/standards-positions#539 (worth prototyping) * Safari: https://lists.webkit.org/pipermail/webkit-dev/2021-June/031898.html (pending) - [X] [Tests](https://github.com/web-platform-tests/wpt) are written and can be reviewed and commented upon at: * https://wpt.fyi/results/html/cross-origin-embedder-policy/credentialless - [X] [Implementation bugs](https://github.com/whatwg/meta/blob/main/MAINTAINERS.md#handling-pull-requests) are filed: * Chrome: https://crbug.com/1175099 * Firefox: https://bugzilla.mozilla.org/show_bug.cgi?id=1731778 * Safari: https://bugs.webkit.org/show_bug.cgi?id=230550 (See [WHATWG Working Mode: Changes](https://whatwg.org/working-mode#changes) for more details.)

This defines Cross-Origin-Embedder-Policy: credentialless. The credentialless and require-corp values are similar. One or the other is a requirements for the cross-origin isolated capability. They differ mostly in terms of fetching. require-corp requires a Cross-Origin-Resource-Policy header for cross-origin opaque responses. credentialless doesn't, but omits credentials (cookies, client certificates, etc.) in cross-origin "no-cors" requests. See https://github.com/WICG/credentiallessness for additional context. Fetch PR: whatwg/fetch#1229. Tests: WPT html/cross-origin-embedder-policy/credentialless. Closes whatwg#6637.

This was discussed here: whatwg/html#6637 (comment) This patch renames "cors-or-credentialless" into "credentialless". The WPT test directory: - html/cross-origin-embedder-policy/credentialless/cors-or-credentialess/ - html/cross-origin-embedder-policy/credentialless/full-credentialless/ are renamed: - html/cross-origin-embedder-policy/cors-or-credentialess/ - html/cross-origin-embedder-policy/anonymous-iframe/ Bug: 1175099 Change-Id: Iba052a2b3fbf4b45607c48807622d5ced202d583 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2867588 Commit-Queue: Arthur Sonzogni <arthursonzogni@chromium.org> Reviewed-by: Camille Lamy <clamy@chromium.org> Reviewed-by: Kinuko Yasuda <kinuko@chromium.org> Owners-Override: Kinuko Yasuda <kinuko@chromium.org> Cr-Commit-Position: refs/heads/master@{#880359} NOKEYCHECK=True GitOrigin-RevId: 69edb0b007920f77a4e9f57c20b9520438c7a4a6

ArthurSonzogni mentioned this issue Apr 30, 2021

Add credentialless value to COEP (HTML spec) #6638

Merged

3 tasks

ArthurSonzogni mentioned this issue May 3, 2021

Specify the behavior of COEP: credentialless, whatwg/fetch#1229

Merged

3 tasks

chromium-wpt-export-bot mentioned this issue May 5, 2021

Rename COEP:{cors-or-credentialless => credentialless} web-platform-tests/wpt#28838

Merged

ArthurSonzogni mentioned this issue May 5, 2021

CacheStorage & COEP:credentialless w3c/ServiceWorker#1592

Closed

ArthurSonzogni changed the title ~~Cross-Origin-Embedder-Policy: cors-or-credentialless~~ Cross-Origin-Embedder-Policy: credentialless Jun 1, 2021

ArthurSonzogni mentioned this issue Jun 3, 2021

Cross-Origin-Embedder-Policy: credentialless WICG/proposals#31

Closed

zcorpan added the topic: cross-origin-embedder-policy Issues and ideas around the new "require CORP for subresource requests and frames and etc" proposal label Jul 1, 2021

annevk closed this as completed in 311934b Nov 2, 2021

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Cross-Origin-Embedder-Policy: credentialless #6637

Cross-Origin-Embedder-Policy: credentialless #6637

ArthurSonzogni commented Apr 30, 2021

annevk commented Apr 30, 2021

annevk commented Apr 30, 2021

ArthurSonzogni commented Apr 30, 2021 •

edited

Loading

annevk commented May 3, 2021

ArthurSonzogni commented May 3, 2021

camillelamy commented May 7, 2021

Cross-Origin-Embedder-Policy: credentialless #6637

Cross-Origin-Embedder-Policy: credentialless #6637

Comments

ArthurSonzogni commented Apr 30, 2021

annevk commented Apr 30, 2021

annevk commented Apr 30, 2021

ArthurSonzogni commented Apr 30, 2021 • edited Loading

annevk commented May 3, 2021

ArthurSonzogni commented May 3, 2021

camillelamy commented May 7, 2021

ArthurSonzogni commented Apr 30, 2021 •

edited

Loading