Specify the behavior of COEP: credentialless,

(Draft) Originally described in: https://github.com/mikewest/credentiallessness `credentialless` and `require-corp` are similar. One or the other is a requirements for the `window.crossOriginIsolated` capability. They differ mostly in the fetch specification. `require-corp` requires a CORP header for cross-origin no-cors responses. `credentialless` doesn't, but omits credentials (Cookies, clients certificates, etc...) in no-cors cross-origin requests. * HTML (whatwg/html#6638) * Define how to parse the `credentialless` value. * From the HTML spec point of view, `credentialless` and `require-corp` are equivalent. They have been grouped into `compatible with crossOriginIsolation` and the HTML spec rewritten to use this concept. * Fetch: (This PR) * Define "Cross-Origin-Embedder-Policy allows credentials". * Omit credentials for no-cors, cross-origin, COEP:credentialless requests. * Check CORP for navigational COEP:credentialless response. * ServiceWorker: XXX * Integration with `Cache.matchAll `algorithm. * XXX See: whatwg/html#6637 ---- - [ ] At least two implementers are interested (and none opposed): * Chrome: https://chromestatus.com/feature/4918234241302528#details * Firefox: XXX * Safari: XXX - [X] [Tests](https://github.com/web-platform-tests/wpt) are written and can be reviewed and commented upon at: * https://wpt.fyi/results/html/cross-origin-embedder-policy/credentialless/credentialless - [ ] [Implementation bugs](https://github.com/whatwg/meta/blob/main/MAINTAINERS.md#handling-pull-requests) are filed: * Chrome: https://crbug.com/1175099 * Firefox: XXX * Safari: XXX (See [WHATWG Working Mode: Changes](https://whatwg.org/working-mode#changes) for more details.) ---- See: whatwg/html#6637
ArthurSonzogni · May 30, 2021 · 2b03205 · 2b03205
1 parent 0fe0e23
commit 2b03205
Showing 1 changed file with 54 additions and 3 deletions.
diff --git a/fetch.bs b/fetch.bs
@@ -1892,6 +1892,25 @@ source of security bugs. Please seek security review for features that deal with
  <a for="URL serializer"><i>exclude fragment</i></a> set to true.
 </ol>
 
+<p>To check <dfn export>Cross-Origin-Embedder-Policy allows credentials</dfn>, given a
+<a for=/>request</a> <var>request</var>, run theses steps:
+
+<ol>
+ <li><p>If <var>request</var>'s <a for=request>mode</a> is not <code>no-cors</code>", return
+ true.</p>
+
+ <li><p>If <var>request</var>'s <a for=request>client</a> is null, return true.</p>
+
+ <li><p>If <var>request</var>'s <a for=request>client</a>'s <a for="environment settings
+ object">embedder policy</a> is not
+ "<code><a for="embedder policy value">credentialless</a></code>", return true.</p>
+
+ <li><p>If <var>request</var>'s <a for=request>origin</a> is not <a>same origin</a> with
+ <var>request</var>'s <a for=request>client</a>'s <a for="environment settings object">origin</a>,
+ return true.</p>
+
+ <li><p>Return false.</p>
+</ol>
 
 <h4 id=responses>Responses</h4>
 
@@ -1978,6 +1997,10 @@ initially unset.
 being provided to an API that didn't make a range request. See the flag's usage for a detailed
 description of the attack.
 
+<p>A <a for=/>response</a> has an associated <dfn for=response
+id=concept-response-request-include-credentials>request-include-credentials</dfn>, which is
+initially set.
+
 <p>A <a for=/>response</a> has an associated
 <dfn for=response id=concept-response-timing-allow-passed>timing allow passed flag</dfn>, which is
 initially unset.
@@ -3421,9 +3444,29 @@ Cross-Origin-Resource-Policy     = %s"same-origin" / %s"same-site" / %s"cross-or
  <li><p>If <var>policy</var> is neither `<code>same-origin</code>`, `<code>same-site</code>`, nor
  `<code>cross-origin</code>`, then set <var>policy</var> to null.
 
- <li><p>If <var>policy</var> is null and <var>embedderPolicyValue</var> is
- "<code><a for="embedder policy value">require-corp</a></code>", then set <var>policy</var> to
- `<code>same-origin</code>`.
+ <li><p>If <var>policy</var> is null, switch on <var>embedderPolicyValue</var>:
+  <dl class=switch>
+   <dt>`<a for="embedder policy value">unsafe-none</a>`
+   <dt>`<a for="embedder policy value">credentialless</a>`
+   <dd> Set <var>policy</var> to `<code>same-origin</code>` if one of the
+   following is true:
+   <ul>
+    <li><var>response</var>'s <a for="response">request-include-credentials</a> is true and
+        <var>response</var>'s <a for="response">type</a> is "<code>opaque</code>".
+    <li><var>forNavigation</var> is true.
+   </ul>
+
+   <dt>`<a for="embedder policy value">require-corp</a>`
+   <dd> Set <var>policy</var> to `<code>same-origin</code>`.
+  </dl>
+ </li>
+
+ <li><p>If <var>policy</var> is null, <var>embedderPolicyValue</var> is
+ "<code><a for="embedder policy value">credentialless</a></code>", and
+ <var>forNavigation</var> is true, then set <var>policy</var> to `<code>same-origin</code>`.
+
+ <li><p>If <var>policy</var> is null and <var>embedderPolicyValue</var> is "<code><a for="embedder
+ policy value">require-corp</a></code>", then set <var>policy</var> to `<code>same-origin</code>`.
 
  <li>
   <p>Switch on <var>policy</var>:
@@ -4585,6 +4628,10 @@ steps. They return a <a for=/>response</a>.
 
     <p>is true; otherwise false.
 
+   <li>
+    <p>If <a>Cross-Origin-Embedder-Policy allows credentials</a> with
+    <var>request</var> is false, set <var>includeCredentials</var> to false.</p>
+
    <li><p>Let <var>contentLength</var> be <var>httpRequest</var>'s <a for=request>body</a>'s
    <a for=body>length</a>, if <var>httpRequest</var>'s <a for=request>body</a> is non-null;
    otherwise null.
@@ -4945,6 +4992,9 @@ steps. They return a <a for=/>response</a>.
  <li><p>If <var>httpRequest</var>'s <a for=request>header list</a> <a for="header list">contains</a>
  `<code>Range</code>`, then set <var>response</var>'s <a for=response>range-requested flag</a>.
 
+ <li><p>Set <var>response</var>'s <a for=response>request-include-credentials</a> to
+ <var>includeCredentials</var>.
+
  <li>
   <p>If <var>response</var>'s <a for=response>status</a> is 401, <var>httpRequest</var>'s
   <a for=request>response tainting</a> is not "<code>cors</code>", <var>includeCredentials</var> is
@@ -7758,6 +7808,7 @@ Arkadiusz Michalski,
 Arne Johannessen,
 Artem Skoretskiy,
 Arthur Barstow,
+Arthur Sonzogni,
 Asanka Herath,
 Axel Rauschmayer,
 Ben Kelly,